First discovered last Wednesday, the feeling is that they have caught things before the attack escalated beyond the first stages. From early assessment they decided to disable CVS, ishell, file uploads and other website features to prevent the further escalation of any data corruption activities. The SourceForge security team will continue to work throughout the week to get services restored as soon as possible.
One of the notable issues their analysis uncovered was a hacked SSH daemon. This hacked SSH daemon was modified to capture passwords; however they do not have reason to believe how successful the attacker was in gathering passwords from SourceForge users. Just to be on the safe side, they have invalidated all SourceForge user account passwords and users have been asked to recover account access by email.
Services are also being brought back, one by one as soon as data validation is complete.
Looking towards the future, SourceForge is looking to accelerate the implementation of a new better security model. The same features that may have protected them when the security measures were put in place (about 10 years ago) do not seem to be standing the test of time.