Ask HN: Went to prison for 18 months, lost access to my GitHub. What can I do?

44•joshmn•1h ago

Hi friends,

The skinny is this: I went to prison, all my personal items were stolen IRL and the same person changed a bunch of my passwords. Subsequently, I can't recover my GitHub account.

I have recovered most of my digital assets by proving I am me. Recovering my GitHub has proven to be more painful than Google's treatment regarding my Google Workspace.

I have the original phone number associated with my account, and can verify a bunch of private repos that are associated with my account—even the number of commits on one of them (almost 6900). I can't, however, provide any 2FA codes or backup codes because they are printed on paper that has, I assume, been destroyed.

I maintain two relatively popular Ruby packages that have gone stale since I've been gone, and there are projects my GitHub there that I was working on prior to my incarceration—including a SaaS I had hoped to launch post-prison and two books I was ready to publish. Having said, just opening another account isn't exactly the option I want to take.

I've opened a ticket, but I'm getting the "shit out of luck because we don't know you are you" treatment. I understand that security is important, but if one can prove they are them, what's the point?

Are there other avenues I have that I haven't explored yet?

Comments

qafy•1h ago

unfortunately, the techniques you are trying in order to get access to a dormant Github account are EXACTLY the same ones that github gets spammed with every day by bad actors attempting supply chain attacks. You don't have anything that proves your identity any more than any rando on the internet in Github's eyes at least. Everything you have presented here may be convincing enough to me, but probably not to GitHub's opsec policies.

trenchpilgrim•45m ago

Get a lawyer and contact GitHub through legal means.

clamprecht•31m ago

Is there a phone number associated with the account? How does GitHub want you to prove that you're you?

joshmn•30m ago

There is, but it's not a phone number I have access to anymore. I changed it to the said person's phone number before I surrendered so that this exact scenario did not happen. I trusted the wrong person.

abxyz•26m ago

> I can't, however, provide any 2FA codes or backup codes because they are printed on paper that has, I assume, been destroyed.

The situation you are in is very unfortunate and I am sympathetic but in GitHub's defence, this is exactly what I hope would happen when I enable 2FA. I would be very perturbed to find out that GitHub would grant access to my account given identity documents. There are some creative solutions (e.g: a countdown to the reset with progressively more aggressive email notifications to ensure the account holder is aware) but even they are problematic. So, this sucks, but it's the price we pay for security.

joshmn•23m ago

That's the same stance I have and why I'm torn. The little quirk here—where it makes slightly more sense—is that they received a legal notice at one point (from the US Government) about my account, there are plenty of online articles to corroborate me as me, and I have a fancy prison release ID that can help me identify me. Unfortunately this context is probably lost on the individuals who work their Zendesk.

abxyz•19m ago

I think the disconnect between you and GitHub support is that you're positioning this as a problem of proving your identity whereas for GitHub support it is a policy. The GitHub policy is: you lose your 2FA, you lose your account. Verifying your identity is not relevant. GitHub provides extensive tooling to protect your account (multiple methods of 2FA, recovery codes etc.) and so from their perspective, while this is deeply unfortunate, the policy is very clear and allowing you access to the account would be a major security issue (not for your account specifically, but for GitHub as an organization).

edit: https://docs.github.com/en/site-policy/other-site-policies/g...

MrGilbert•11m ago

I'd assume that there is simply no "ok, this individual got released from prison and can proof everything" policy in place, and that might be the real issue here. Big organizations begin to tumble once you request something where there are no policies in place.

ryandrake•6m ago

These (for good reason) draconian policies are the reason I am still hesitant to embrace 2FA. I understand the significant improvement in your security posture, and I would not want someone not-me to be able to reset my credentials. But the failure mode is just too catastrophic. You lose one thing and you are shit out of luck.

We need something better. I don't know what it would be.

hluska•14m ago

I’m not sure that blaming tech support for not understanding context is the best approach here. The other sides of that context, which are understandable from their point of view, is that you were charged with some serious crimes. There’s a large delta between the charges and the conviction, but you’ve got some scary words written about you online. Secondarily, GitHub has policy so whereas you’re coming at it from a position of being correct, they’re in a position where they have to break policy. That’s a big risk.

Your best bet would likely be legal. US Federal law imposes some strict rules on lawyers for identity verification to combat money laundering so attorneys have a legally recognized toolkit to verify identity. Having a third party who works for you in the mix could help. Though again, it would involve breaking their policy so this would be a decision made several layers above Zendesk access.

Otherwise, I think this is doing precisely what 2FA is meant to do. It’s not okay for you and you’ve clearly lost a lot because of this, but with the current threat environment, GitHub has to be very careful especially with 2FA. From their point of view, there likely isn’t that big of a gap between your interactions and interactions with people who are trying to take over accounts. A lawyer may not work, but it sure changes that equation.

Retr0id•7m ago

As a matter of policy, sure. But at the same time, I bet there are some GitHub employees reading this that would be in a position to pull some strings and make an exception. For OP's sake, I hope I'm right!

randunel•5m ago

Social engineering attacks are a thing, you know...

liquidise•23m ago

I haven't any help to offer, but want to say that this post along with reading your site the other day has shown a level of composure and resiliency that i aspire to.

Good luck getting your access back.

xwowsersx•19m ago

Thoughts of the top of my head:

- If the most important thing is control of the Ruby gems, reach out to RubyGems.org support

- for your projects, if you have are past collaborators on those repos, they can sometimes open GH tickets referencing the project and vouch for you. Doesn't guarantee success, but adds weight

- GH (being part of MSFT) does have some channels for escalated identity verification. Lawyers or notarized ID may be needed...possibly expensive, but sometimes the only way

GH support is extremely strict on account recovery once 2FA/backup codes are gone. I wish you luck!

joshmn•17m ago

I was able to recover my Rubygems account :); unfortunately my projects were all private and solo :(; I am currently looking into lawyers—if anyone has any recommendations here my inbox is open.

CPLX•12m ago

You could initiate some kind of legal action to access your data. You'd need a lawyer.

I think it's likely that you wouldn't have legal grounds to force them to give you your data but it's an approach that would most certainly get their attention at a higher level than anything you're able to do from a customer service perspective.

You'd have to have some legal argument as to why they could be obligated to produce the records under subpoena but the standards for that could be quite low.

the__alchemist•6m ago

I'm perpetually worried (and partially prepared) for this sort of scenario, as more of my accounts require 2FA. I dread the day I lose or break my phone, have my items stolen, there's a weather disaster etc. I try to make my hobby repos public and/or backed up in multiple places as a hedge.

jackconsidine•6m ago

FWIW I had a similar conundrum with Slack. I had set-up my business Slack workspace in college; 4 years after graduation my university changed policies (they used to forward name@edu => name@alumni.edu).

I tried the normal means (support tickets etc) to no avail. The third or fourth time I got someone in account recovery. There was a very formal process for verifying my identity (I'm sure based on the process this happens all the time). Eventually I they helped me recover my account. It probably took a few months on the whole, but once I got the right support rep it was only a week or so.

So my advice would be to submit more tickets. Because they might have a process that not all support agents know about, and some are more helpful than others.

Mixologician: Drinking with Datalog

I Shipped 2 Months of Features in 3 Weeks with LLM Agents

Photonic Switches Promise to Keep GPUs Fed, Cool

GPT-5 Oracle

OpenAI Valuation Reaches $500B, Topping Musk's SpaceX

The Internet Is Better on Comet

PitchRaft – Heatmaps and Analytics for Pitch Decks

The Shadow of Desire: Painting the Origins of Art (Ca. 1625–1850)

Slow down and protect things: Fed independence and the Supreme Court

Show HN: Term – Data validation that runs anywhere, no infrastructure needed

Ask HN: What's the Deal with Plastic Guns?

Should I Switch from Git to Jujutsu

Arm Says Neoverse Is a More Universal Compute Substrate Than x86

RenderScholar – Scrape real papers from Google Scholar (no hallucinations)

Hacktoberfest 2025

Subpoena tracking platform blames outage on AWS social engineering attack

ClickHouse 25.9

Infinite Git Repos on Cloudflare Workers

JavaScript or Rock Band?

Sycophantic AI increases attitude extremity and overconfidence

Comparing a RISC and a CISC with Similar Hardware Organization

Indefinite Backpack Travel

Wikidata: Embedding Project (Officially Launched)

How to live to 117? Researchers find clues in the oldest woman

Show HN: Tools in One Chrome Extension

When Asked about Reading

Mamdani Says He Would Phase Out NYC Gifted Program for Early Grades

First of Its Kind Electric RV Has Its Own Range Extender

Show HN: Developer Portfolio Inspiration

The Lifespan of Our Universe