When a user change their username or an organization name, Github creates a redirect route that allows the repositories to be accessible from their old URLs. After changing a username or an organization name old ones become available to claim. This means an attacker can claim the abandoned username or organization name and break the redirection. Therefore, if someone uses the old URL, they will be dealing with attacker's repository.

The same applies to repositories that have been transferred.


Last updated