This is correct. People who don't understand what a mass-assignment bug is are running with this story. It's like when we witness a DDoS and have to tollerate people who think it means that the targeted party was infiltrated.
This bug allowed one to add their public key to another user's account, and make changes to comments and issues.
What are the odds that there's a similar bug which allows changes to user accounts? If that's the case, then altering the password or email address is trivial.
This bug allowed one to add their public key to another user's account, and make changes to comments and issues.