What can we learn from the matrix.org compromise?

The other thing to note is that the attacker was undetected inside of Matrix’s systems for quite some time and developed a detailed understanding of their operations
What happened? Another big problem was their use of GitHub to store secrets and other potentially important pieces of data. This is a fairly common problem and one of the big reasons I tell people to get GitHub Enterprise or self-host GitLab and require VPN access to it.

Source: medium.com