( Source: https://archives.gentoo.org/gentoo-announce/message/dc23d48d2258e1ed91599a8091167002 )
However I feel like the term "mirror" has been misunderstood or miscommunication in this context, so I want to add a few comments to it now that things have calmed down a bit.
Gentoo has mainly had a presence on GitHub in order to facilitate pull requests from external contributors and proxied maintainers, actually, using GitHub for anything critical goes against the Gentoo Social Contract
The primary method of synchronizing the Gentoo Ebuild Repository is using rsync, and github was never part of the mirroring infrastructure for rsync. Furthermore; for Portage users, gemato is used to verify the MetaManifests and in turn the ebuilds using OpenPGP (aka GPG aka PGP) signatures by default.
So to make it absolutely clear; mirror in the case of GitHub compromise doesn't mean it automatically results in the ebuilds being distributed to the users using regular update mechanisms.
Gentoo will publish a post mortem report once details are ready to be released, but my recommendation to users is; don't worry about this incident, it was always under control, although it is annoying to clean up the visible aspects of it.