This is bad. If they came out announcing this, without a long winded explanation and further details, it's because they're staring at a bottomless pit and they haven't put the lid on it yet.
For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
> For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
The company that had 40 million Azure servers compromised? This is a drop in the bucket, the investors clearly do not care about this.
https://www.microsoft.com/en-us/security/blog/2026/05/18/sto...
Letting people know promptly is also the right thing to do and probably mandated by (at least some) customer contracts. You can't tell just some people; it would leak anyway.
Part of this is likely driven by regulations. Github has plenty of clients that fall under DORA, NIS2 or both.
I don't remember the exact wording about what qualifies as "incident" or "major incident" but the TL;DR is that the regulated entities are required to notify their regulators of impactful supplier incidents within 24h with initial information and within 72h with more complete details.
Which in turn means that Github will have signed contracts that bind them to accommodating timelines.