I think this is a disproportionately negative title compared to what actually happened, and solely for one word, "breach".<p>My opinion is that it conveys something more serious than a bug. Thousands of secrets have been leaked on Github/Bitbucket, and we don't need to report every single one as a "breach".<p>For instance many AWS credentials have been reported as being leaked on HackerOne, but I don't see Ars writing an article for each one saying "X company breach let's outside hacker have full access to X's infrastructure"
The breach is here: <a href="https://hackerone.com/reports/745324" rel="nofollow">https://hackerone.com/reports/745324</a><p>TL;DR:
One user reported a bug to sign-in using cURL.
HackerOne replied with admin credentials (session) to show that login works.<p>Nobody noticed.
One guy logged in, downloaded a significant amount of sensitive data (private exploits!) and then told HackerOne.
They give 20'000 USD to say nothing about it.<p>End of story.