[meowface]

The post makes their mistakes pretty clear, I think. Public out-of-date Jenkins instance, SSH forwarding enabled by developers for all matrix.org servers, and not realizing they only rotated their personal Cloudflare API key and not their admin one.

It's very embarrassing for sure, but tons of huge private corporations have been breached through worse mistakes than this. Making their Jenkins public was probably the worst decision. They explain why they did it, and it's not unreasonable (radical openness and transparency, basically), but they should've thought it through more.