I think this is a disproportionately negative title compared to what actually happened, and solely for one word, "breach".
My opinion is that it conveys something more serious than a bug. Thousands of secrets have been leaked on Github/Bitbucket, and we don't need to report every single one as a "breach".
For instance many AWS credentials have been reported as being leaked on HackerOne, but I don't see Ars writing an article for each one saying "X company breach let's outside hacker have full access to X's infrastructure"
TL;DR:
One user reported a bug to sign-in using cURL.
HackerOne replied with admin credentials (session) to show that login works.
Nobody noticed.
One guy logged in, downloaded a significant amount of sensitive data (private exploits!) and then told HackerOne.
They give 20'000 USD to say nothing about it.
My opinion is that it conveys something more serious than a bug. Thousands of secrets have been leaked on Github/Bitbucket, and we don't need to report every single one as a "breach".
For instance many AWS credentials have been reported as being leaked on HackerOne, but I don't see Ars writing an article for each one saying "X company breach let's outside hacker have full access to X's infrastructure"