We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities. Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected.
Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.
We plan to post a public update after our investigation, audit and remediations are finished.
Thank you, your trust in Canonical is important to us, which is why we make privacy and security a priority.
At least it wasn't as juvenile as the (possible actual) juvenile "hack"[0] of Gentoo's repos that had insertions of "rm -rf /" at the wrong places (where they wouldn't even execute) and insertions of racial slurs into readmes.
I just recall the takeover of the Lubuntu project by this kid, kicking out all others and his attempt to threaten others in the project at Christmas time as a ubuntu tm licensee for his website impostering as a Ubuntu trade mark owner. His forged evidence provided worked with Github staff to get others blocked. I don't trust Ubuntu accounts anymore and I don't trust Canonical because they let it happen.
Launchpad is public, think GitHub but for packages. The Canonical Launchpad repositories weren't tampered. Presumably a lot fewer people have commit access to LP since it's used for package distribution.
We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities. Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected.
Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.
We plan to post a public update after our investigation, audit and remediations are finished.
Thank you, your trust in Canonical is important to us, which is why we make privacy and security a priority.
-David on behalf of Canonical