@jayjpatel9717 discovered it was possible for users to bypass certain rate limits by changing their username. We addressed this vulnerability by changing the rate limits to limit based on the user’s ID instead of their username.
Reported on 08-31-2016 for GitHub.com