Good to finally have some details. Those details, it turns out, are worrying.
My prime concern upon reading this summary is that there were two *separate* breaches, one for
the Fedora servers, and one for the Red Hat servers. It seems reasonable to presume that this
isn't a coincidence, for two such successful attacks to occur in close proximity. So, this is
a targeted effort against both Red Hat and Fedora, which by itself worries me.
In addition, this appears to be a serious breach in the sense that it isn't incidental to one
particular machine. That is, it seems most reasonable that the same attack method worked on
both targets. To me this implies that it wasn't a socially-engineered stealing of a password
to an account on one of the machines, as this wouldn't work for the other - unless a single
user has accounts on both, with the *same* password (not a good idea in general, but many of
us fall prey to this sort of thing...). If not, then the attackers have a method that works
against both the Fedora and Red Hat servers; it is possible that they have in their hands
details of a security vulnerability shared between these systems, which appears to me to imply
that it might be present in lots of systems around the world.
All of that said, it does appear Red Hat/Fedora are taking these intrusions seriously, and
that little actual damage has been done, that is the good news here as I see things.