Maybe they're doing this now that it's a real problem?

At any rate, don't store really sensitive stuff on Github. It's a bad idea for many reasons, security flaws being one. In particular, keep in mind things like AWS server credentials which might go in your repository.

Doing it by username means the real user can lose access to their account, whilst it is being attacked, even though they might have strong password.