Account compromised — private repos deleted, profile defaced, 2FA was already on

[bestt3217]

🏷️ Discussion Type

Question

Body

My account was compromised even though I had 2FA enabled. The attacker defaced my profile (changed display name, bio, README), deleted several private repositories, and created a bunch of fake repos.

Since 2FA was on, I think they got in via a personal access token rather than a password login. I found a token I'm investigating and I'm working through revoking tokens/keys/apps and checking my security log.

My questions for anyone who's been through this:

1. For deleted private repos, is self-restore under Settings the fastest path, or is a support ticket more reliable? I've already opened a support ticket.
2. Beyond revoking tokens, SSH/GPG keys, and OAuth/GitHub apps, regenerating recovery codes, and changing my password — is there any persistence method I might be missing that survives those steps?
3. Roughly how long do data-recovery/compromise tickets take to get a response?

Appreciate any pointers. Thanks.

[Tejas-h-blitz]

Really sorry this happened — here are answers to each of your questions:

1. Deleted private repos — self-restore vs support ticket?
   Both simultaneously is the right call, which you're already doing. Self-restore under Settings → Repositories works if the repos were deleted within 90 days and haven't been purged yet. The support ticket is more reliable for repos outside that window or if self-restore doesn't show them. Support can sometimes recover things the UI doesn't surface.
2. Persistence methods beyond what you've done?
   A few things people often miss:

Deploy keys — check every repository individually under Settings → Deploy keys, not just your account level
GitHub Actions secrets — attacker may have injected secrets or modified workflows
Webhooks — check both account-level and repo-level webhooks for anything unfamiliar
GitHub Apps with write access — double check under Settings → Applications → Authorized GitHub Apps
Saved sessions — go to Settings → Sessions and revoke all active sessions except your current one

3. Response time for compromise/recovery tickets?
   Typically 24–72 hours for initial response on security-related tickets. Compromise cases are usually prioritized over general support. If you haven't heard back in 3 days, reply to your ticket to bump it.
   Good luck — sounds like you're handling it the right way. 👍