A very good write up of the impressive attack that was carried out on these two groups; http://www.zdnet.com.au/hackers-use-atlassian-to-compromise-apache-339302448.htm
It is good that this underlines the real power of an XSS, I have heard people dismiss XSS and this will be good to pull out at times like that. But it wasn't just XSS it was a co-ordinated multi-pronged attack. Work of real pro's. Just goes to show if someone wants in badly enough they will get in.
I know some of the people at Altassian and I would say that unfortunately they got attacked by a better opponent. No one is infallible. It is good though how Altassian handled it then how Apache handled the resultant attack. I would say Altassian was the target because of the donation to Apache, it made them a target.
Oh yeah and I have said it before and I will say it again, I hate URL shortening services they should all die in a fire, if twitter wants to stick to the 140 characters (which is a good thing) move to putting URL's in the page as a simple html link that goes at the bottom ala the way Facebook does it.