I like the way then handle the communication about the incident.
There 2 ways to interpret the message:
1. Someone managed to get access to dev credentials and exfiltrated source code (the part that is explicitly mentioned).
2. Someone managed to push code on behalf of the compromised account and they responded to this change (not mentioned, but otherwise how would they know the account was compromised - each SCM has its logging limitations).
