Forced commits to repositories

[FaisalAshraf44]

Select Topic Area

Question

Body

I noticed some unexpected activity on my GitHub repositories and wanted to clarify the situation.

A past client recently contacted me saying that commits were made to their repository using my GitHub account, even though I did not make those commits.

• When I checked my GitHub repositories, I noticed the following:
• All of my repositories showed “Updated yesterday” (I have attached a screenshot of a few of them).
• Initially, I was able to find the same commit that the client shared with me in one of my other repositories as well.
• After this, I asked the client to remove me from their organization/repository access.
• Later, the same commit disappeared from my repositories, so I asked the client to share screenshots of the commit they saw in their repository. They were able to capture it because I had already been removed from the organization before the commits started disappearing.
• At the moment, all my repositories still show “Updated yesterday”, but when I check inside each repository there are no commits from yesterday.

I am trying to understand how this activity happened since I did not push these commits myself.

[shivrajcodez]

This situation can happen for a few different reasons, and it doesn’t always mean someone directly logged into your GitHub account.

A few things worth checking:

1. Author email vs actual account
   Git commits contain an author email, not strict authentication. If someone configured Git with the same email as your GitHub account, the commit may appear attributed to you even though it wasn’t pushed by your account.

You can verify this by opening the commit and checking:

Author

Committer

Verified / Signed status

Sometimes the committer will be different from the author.

2. Automation or CI workflows
   If the repository had GitHub Actions, bots, or CI pipelines, they might have pushed commits automatically using a token that was associated with your account or email.

3. Personal access tokens
   If you previously created PAT tokens and shared them with scripts, CI systems, or clients, those tokens may still have permission to push.

It’s a good idea to:

Revoke old tokens

Review authorized OAuth apps

Check deploy keys on repositories

4. Cached or rebased commits
   If the client rewrote history (force push, rebase, branch deletion), commits can temporarily appear and later disappear from your visible history.

This can explain why you saw them initially and then they vanished.

5. Organization permissions
   If you were an org member previously, workflows running in that org could have been configured to commit with your identity.

Recommended immediate steps:

Change your GitHub password

Enable 2FA if not already enabled

Revoke unused personal access tokens

Review authorized OAuth apps

Check GitHub security log in your account settings

If the commit still exists in the client’s repository, inspecting the commit metadata (author, committer, and signature) should reveal how it was created.

[iamwujiabao]

1. Identity vs. Authentication

The most likely reason for these commits is Email Attribution. In Git, anyone can configure their local machine to use any name and email address they choose using these commands:

• git config user.name "Your Name"
• git config user.email "your-email@example.com"

If a third party (or a bot) uses the email address associated with your GitHub account, GitHub will automatically link that commit to your profile and display your avatar, even if you didn't push the code.

2. Why Repositories Showed "Updated Yesterday"

When a repository shows an update timestamp but contains no new commits, it is typically due to Branch or Tag Activity:

• Force Pushes: If someone pushed code and then "force pushed" to overwrite it or delete it, the repository metadata updates its "last active" date, but the actual commit disappears from the history.
• Metadata Changes: Editing repository descriptions, topics, or settings can also trigger an "Updated" status without a code commit.

3. Immediate Security Steps

Even if this was just an email attribution issue, you should take these steps to secure your account:

• Check the "Verified" Status: Look at the suspicious commit on the client's end. If it does not have a "Verified" badge, it means it was not signed by your private GPG/SSH key and was likely spoofed via email.
• Review Security Logs: Go to your GitHub Settings > Security log. This will show you every login and every push made using your actual credentials. If you don't see pushes there, your account was not used.
• Revoke Personal Access Tokens (PATs): If you ever gave a token to that client or used one on their servers, revoke it immediately in Settings > Developer settings > Personal access tokens.
• Enable 2FA: If you haven't already, enable Two-Factor Authentication to ensure that even with a password, no one can log into your account..