The attack must have been done over Tor. My account was flagged and locked but it's not reasonable to say the password was cracked. However, I do my day-to-day browsing over Tor and the matching IP addresses caused a false positive.
Its worth mentioning, though, that the rate limiting is at the account level and not the IP level. When I was trying to get access to my account before the email was sent out, my account was locked and remained locked even after developing a new Tor circuit. How were the attackers able to circumvent the aggressive rate limiting? Three password attempts a minute is a generous estimate and it would take longer than the expected life of the universe to crack even a moderately secure password at that rate (my old password had 704 decillion permutations.) Perhaps some part of GitHub isn't being rate limited?
I only have Tor logins recorded and nothing indicates that my account was compromised, so one of the exit nodes I used must also have been used by the attackers. I guess it doesn't necessarily mean that the entire attack was done over Tor. Perhaps a zombie in the botnet was running it. :)
Its worth mentioning, though, that the rate limiting is at the account level and not the IP level. When I was trying to get access to my account before the email was sent out, my account was locked and remained locked even after developing a new Tor circuit. How were the attackers able to circumvent the aggressive rate limiting? Three password attempts a minute is a generous estimate and it would take longer than the expected life of the universe to crack even a moderately secure password at that rate (my old password had 704 decillion permutations.) Perhaps some part of GitHub isn't being rate limited?