I believe they tried blaming this on the creator of the C++ port of their server software without any proof and it sort of left a bad impression with me.
The post makes their mistakes pretty clear, I think. Public out-of-date Jenkins instance, SSH forwarding enabled by developers for all matrix.org servers, and not realizing they only rotated their personal Cloudflare API key and not their admin one.
It's very embarrassing for sure, but tons of huge private corporations have been breached through worse mistakes than this. Making their Jenkins public was probably the worst decision. They explain why they did it, and it's not unreasonable (radical openness and transparency, basically), but they should've thought it through more.
I think everyone should be free to post whatever they want; nonetheless, providing some kind of source to incriminating claims would be great--if only to make verifying them easier to other users.
In any case, this kind of posts is a reminder to stay alert and think critically; otherwise, we would believe many instances of misinformation without giving them a second thought. And we cannot expect others to downvote comments to oblivion or moderate them: it's something we ourselves have to be responsible for.
That post was nothing to do with the security incident in question here (which happened April 11th 2019; that post is from March). The details in that post are sadly true (as others confirm on that thread).
However, we have no reason to believe there was a link to the April incident.
yes, and he was, by his own admission: repeatedly bragging about exploiting bugs in Matrix’s beta design which we hadn’t fixed fast enough in his estimation (hijacking Matrix HQ; bricking #matrix-dev; threatening to loop over all public rooms to brick them unless we paid him; etc). It wasn’t exactly subtle, and it’s bizarre if you think we’re making this up or presenting without evidence.
However, the matrix.org security breach in Apr 2019 was unrelated to him, as far as we know.