There has recently been an attack on GitHub via stolen OAuth tokens from travis and heroku . I (as well as at least one other owner of the Matplotlib organization on github) have been notified that we had the list of the organizations that be belong to read by the attackers. However I did not receive any other disclosures from GitHub so I believe that there were no further access to anything related to Matplotlib.
From the information available, it appears that the attackers were looking for private repositories in targetted organizations and were not able to access any other information or credentials stored by GitHub nor change anything.
The Matplotlib organization does not have any private repositories.
At this time there is no indication that action is needed by Matplotlib.