Went to prison for 18 months, lost access to my GitHub. What can I do?

Get a lawyer and contact GitHub through legal means.

unfortunately, the techniques you are trying in order to get access to a dormant Github account are EXACTLY the same ones that github gets spammed with every day by bad actors attempting supply chain attacks. You don't have anything that proves your identity any more than any rando on the internet in Github's eyes at least. Everything you have presented here may be convincing enough to me, but probably not to GitHub's opsec policies.

I'm perpetually worried (and partially prepared) for this sort of scenario, as more of my accounts require 2FA. I dread the day I lose or break my phone, have my items stolen, there's a weather disaster etc. I try to make my hobby repos public and/or backed up in multiple places as a hedge.

There are alarming statistics about phone snatching in London. Plus, we are NOT OUR PHONES. Doesn't GitHub have a way for people to verify and prove somebody's identity? Given that's a fact, isn't it best to disable 2FA and stop recommending it to people?

FWIW I had a similar conundrum with Slack. I had set-up my business Slack workspace in college; 4 years after graduation my university changed policies (they used to forward name@edu => name@alumni.edu).

I tried the normal means (support tickets etc) to no avail. The third or fourth time I got someone in account recovery. There was a very formal process for verifying my identity (I'm sure based on the process this happens all the time). Eventually I they helped me recover my account. It probably took a few months on the whole, but once I got the right support rep it was only a week or so.

So my advice would be to submit more tickets. Because they might have a process that not all support agents know about, and some are more helpful than others.

> I can't, however, provide any 2FA codes or backup codes because they are printed on paper that has, I assume, been destroyed.

The situation you are in is very unfortunate and I am sympathetic but in GitHub's defence, this is exactly what I hope would happen when I enable 2FA. I would be very perturbed to find out that GitHub would grant access to my account given identity documents. There are some creative solutions (e.g: a countdown to the reset with progressively more aggressive email notifications to ensure the account holder is aware) but even they are problematic. So, this sucks, but it's the price we pay for security.

Thoughts of the top of my head:

- If the most important thing is control of the Ruby gems, reach out to RubyGems.org support

- for your projects, if you have are past collaborators on those repos, they can sometimes open GH tickets referencing the project and vouch for you. Doesn't guarantee success, but adds weight

- GH (being part of MSFT) does have some channels for escalated identity verification. Lawyers or notarized ID may be needed...possibly expensive, but sometimes the only way

GH support is extremely strict on account recovery once 2FA/backup codes are gone. I wish you luck!

Why not create a new account and fork your old repositories? You can restart with updating your old projects and overtime you’d build back up that reputation. I’d also add a note that you were the previous author and lost access to the repositories.

> all my personal items were stolen IRL and the same person changed a bunch of my passwords.

Have you filed a police report? Do you know who this person is? Getting your stuff back might be easier than dealing with github support.

Do you personally know the person who stole all of your items and accounts?

I understand if you can't get or won't get in contact with them, but I'm curious as to whether this was a random or someone taking advantage of you.

Edit: Nevermind, I saw your response to someone else.

Maybe, depending on where you are in the world, you could make some kind of GDPR request to get access to your data, even if you don't recover your account?

Is there a phone number associated with the account? How does GitHub want you to prove that you're you?

Very off-topic on the subject of prison:

Just a reminder to everyone at NSA and all telecom companies and private companies, that there are 100,000 FBI agents slowly but surely gathering evidence through personal interviews and in online comments, to put you in prison.

If you are dropping or disconnecting phone calls or messages from my wife to me or aiding and abetting anyone doing so, your homes and offices will be raided and you are going to prison - and for a lot longer than 18 months.

I haven't any help to offer, but want to say that this post along with reading your site the other day has shown a level of composure and resiliency that i aspire to.

Good luck getting your access back.

thief changed your github password? why? how did he get get access to your github account ?

You could initiate some kind of legal action to access your data. You'd need a lawyer.

I think it's likely that you wouldn't have legal grounds to force them to give you your data but it's an approach that would most certainly get their attention at a higher level than anything you're able to do from a customer service perspective.

You'd have to have some legal argument as to why they could be obligated to produce the records under subpoena but the standards for that could be quite low.

What you might consider doing is try contacting Ruby Central, or whoever it is that runs Ruby Gems. Even if they can't/won't give you access to the account, I'm wondering if they could/would freeze publishing updates to these gems until the account "owner" proves they are who they say they are. That way they don't risk giving control to someone who is hard to verify (you) and they prevent malware from being uploaded by the person who now controls your email until they verify the you are (which obviously they shouldn't be able to do).

WELCOME TO TANGENTIAL INJUSTICE!

Lost access to my phone, then went to Tarrant County jail awaiting trail (innocent until proven guilty but $250,000 bond where no humans or property harmed), and only was able to get a few G-M-@-1-L related accounts reset following a plea bargain to get back my freedom. Lots of corpses in that system. IYKYK.

What can you do? Ask nicely. Hope to escalate. First off though, think of Jack Handey...

If you lost your keys in lava, man, let 'em go, they're gone.

I wonder if you can make a creative small claims court claim against them.

Denying access to some repo where you spent x hours on which can be resolved by them paying you y dollars * x hours. And then hoping a lawyer takes pitty on you and restores the account?

Coincidentally, this article was posted on HN yesterday and has been playing on my mind... https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my...

It sounds like you trusted someone you shouldn't have. This person wouldn't happen to be someone who also has spent some time in prison?