If the attack was conducted using login credentials found on github how does this prove that 2FA/SSO are not enough? Wouldn't 2FA have prevented easy use of these credentials?