Github has the right to "manage usernames" however they see fit. The problem is that a third party is making assumptions about these usernames and basing their entire security mechanism on it, even though that assumption is incorrect, and now they're blaming Github for it.