vydali aktualizaci s informacemi, jak mohlo dojít k incidentu, využili zapomenuté HTTP api a přihlášení heslem (či md5 digest) u gitolitu a hesla získali nejspíš přes server, který spravoval uživatele a pár let ho neaktualizovali.
Based on access logs, we can determine that the commits were indeed pushed
using HTTPS and password-based authentication.
The master.php.net system, which is used for authentication and various
management tasks, was running very old code on a very old operating system
/ PHP version, so some kind of vulnerability would not be terribly
surprising