Maybe it's just me, could "private GitHub coding site" have meant a private GitHub repo with GitHub pages turned on?
If that were the case, there would be no authentication whatsoever to access the closed-source site; the hacker would have just needed to guess the right url.
If that were the case, there would be no authentication whatsoever to access the closed-source site; the hacker would have just needed to guess the right url.