My reading is if you allowed Salesforce/Heroku or Travis CI access to your GitHub account/organization, then there is a chance that that grant was leaked to a malicious third party - and they may have accessed your github account and downloaded private material.
GitHub indicates they are performing an audit and if they find such evidence they will notify each account/org within the next 72 hours.
GitHub indicates they are performing an audit and if they find such evidence they will notify each account/org within the next 72 hours.