Every few months, I receive a random, unsolicited "XXXXXX is your Github authentication code" text message. Strangely I don't even have my phone number listed anywhere in Github, because I use TOTP instead of SMS. Is this something I should be concerned with? How did this happen?
I've changed my password just to be safe (it was and still is randomly generated and unused for anything else) and there are no other sessions listed in my account settings.
One (harmless) way in which this could happen is if another user incorrectly typed their phone number and actually entered yours... OTOH, I'd think that they at some point would realize they're not getting the authentication SMS and correct it.