Time-traveling spam with cloned username?

Hi all!

So I made a Gitlab account on gitlab.com on Saturday the 19th and a repo for my new project (empty thus-far). I made it private so I didn’t think anyone would be able to access it: https://gitlab.com/JosephXylon/tidytask

This morning 29 Spam Issues and 29 Spam Merge Requests have appeared on my repo appearing to have been created by my own account. And they are dated 2 months ago before my account or this repo existed. I even checked my account activity and it has hundreds of actions all dated Sept 25th?

My first thought was that my account had been compromised but i can’t imagine how that would happen as I use strong passwords and have only logged in from one, fully patched computer.

The comments are all Latin Lorum Ipsum and include links to localhost URLs.

What do people think has happened?


Authentication log and Active Sessions in my profile does not show any extra logins other than me.

My SSH key is 4096 bit RSA and I have never exposed the private key to my knowledge. And my private key is even password-protected using very strong password too.

Just a quick question. How did you create the project? Did you use the “create from template” option, and then sample gitlab project?

Because I just did that right now, and gives me 29 open issues, with lorem ipsum data. Better would have been to choose the option “create blank project”.

Oh yes I did “create from template” exactly like you describe…

I guess mystery solved?

Thanks iwalker!