On 2020-10-21 15:02:54 +0300 (+0300), Marios Andreou wrote: [...]
I don't think we need to worry that it was 'one of our accounts' that was compromised, at least I expect we would have known by now if there was any indication that this is the case.
The main concern is if the compromised admin account made any commits at all. So the immediate check is to make sure that all those commits were in fact merged by 'one of us' and not by any unknown account.
[...]
Not quite. The main concern is that the attacker had access (via an account in Gerrit's Administrators group) to add their own SSH key or view/add/change the REST API key for any user of the service, so could in theory have proposed a change masquerading as a regular member of your team, +2'd it as another member of your team, and approved it as yet a third member of your team, without necessarily raising suspicion. While we consider this unlikely, it was entirely possible for the first few weeks of this month.
Per my other reply on this thread, we already checked that every commit corresponds to a change in Gerrit, so it should be sufficient to just skim the last few week's changes and make sure you remember reviewing/approving them.