You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

Data from deleted and private repositories on GitHub can be accessed indefinitely due to the platform's architectural design. This vulnerability, termed Cross Fork Object Reference (CFOR), allows users to fetch commit data via known or brute-forced SHA-1 commit hashes, even if the repository or fork has been deleted. This issue can expose sensitive information and is inherent to how GitHub manages repository networks.

Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.

GitHub needs to be way clearer about how forks and repo deletion work. Wild!

pretty shocking are we saying that we cannot delete a private repo once it’s been made public and when it’s been forked? What is the solution? I looked at another article referenced within this one and it seems the jury is still out on it, or am I missing something?

Doesn’t surprise me at all. I unknowingly forked a Github repo that had some copyrighted content in it. Some time later a received a DMCA strike demanding to remove the infringing content in 1 business day. I could not make the repo private ou delete-commit the file. The part where I should not make the repo private REALLY got my attention. This shit ain’t private…