It's odd not to examine the "contacted a friend at GitHub" part. On the one hand, it's all too common to see this as the only escalation path at a modern tech company. On the other hand, at companies without strong internal controls, it raises the question of how to authenticate yourself to the friend at the company - especially in what the author describes as a stressful 10 minutes.

We know from postmortems that the error-handling code tends to be among the least-tested parts of a codebase, which leads to cascading failure. I wonder if an even wilier attacker could have leveraged the analogous failure here.