[jarcoal]

It's a little hard to parse parts of that paragraph, but it sounds like the repo (presumably hosted on GitHub) had access tokens granted to third party integrations (similar to Heroku being granted access to GitHub on behalf of their mutual users).

Assuming that's true, it should be trivial for GitHub to tell them which third party integration the token was associated with.

[ectopod]

AIUI, the repo contained a single token that gave access to Heroku. Additionally, a bunch of third party tools had legitimate access to the repo. Any one of them could have been used to steal the token.