My account has been compromised

[hieunguyen250102]

🏷️ Discussion Type

Question

💬 Feature/Topic Area

Other

Body

I am currently unable to log in because I believe the attacker has changed my password and/or enabled two-factor authentication (2FA) without my consent.

Below is the information I can provide:

Incident Details:
I first noticed the issue on 08/06/2026. My usual sign-in method via [Sign in with Google / Password] no longer works. The system now requests a 2FA code, which I never set up, confirming the account has been taken over by an attacker, attacker added classic token with full scopes ( gx33y).

My Access Situation:

• I no longer have access to the compromised account.
• I have not enabled 2FA on my account before, so I do not have any recovery codes.

Please help me!

[Aarav01go]

Man, that is a terrifying situation. Getting locked out by an attacker who set up 2FA is the ultimate nightmare scenario, but you aren't the first person this has happened to.

Since the attacker changed the password and locked you out with their own 2FA, there is absolutely no self-service way to fix this. You cannot reset it yourself.

Here is exactly what you need to do right now:

1. Submit an Account Recovery Request
   Go straight to the GitHub Account Recovery form.

Use an email address you currently have secure access to so GitHub can contact you.

2. Prove Your Identity
   GitHub support will need hard proof you own the account before they remove the 2FA. In your ticket, include:

The exact date you lost access (June 8, 2026).

The malicious token information you found (gx33y).

Any SSH public keys you previously associated with your GitHub account (you can find these on your local machine).

Previous billing information or receipts if you ever paid for GitHub Pro or Copilot.

The original email address used to create the account.

3. Ask Support to Nuke the Tokens
   Explicitly tell GitHub Support to revoke all active Personal Access Tokens (especially that full-scope classic token) and kill all active sessions immediately.

4. Secure Your Google Account
   You mentioned you normally use "Sign in with Google." If they got into your GitHub, your Google account or your local machine might be compromised. Change your Google password immediately, run a malware scan on your computer, and turn on 2FA for your email.

It might take a few days for Support to verify everything and manually rip out the attacker's 2FA, so get that ticket in as soon as possible.

[AniXDex]

Hi @hieunguyen250102. If your account was compromised and 2FA was enabled without your consent, please contact GitHub Support immediately and provide all relevant details, including the approximate date of the takeover and the token identifier you mentioned. Avoid sharing any additional sensitive information publicly in this discussion.

I hope you're able to recover your account soon.

If this answer helped, please consider marking the discussion as answered to help others in similar situations. 🙂