Agreed that entering credentials is the most serious security failure here. It is worth noting that credentials alone are never sufficient to access a GitLab employee's account. GitLab employees are required to use MFA on all accounts, including GitLab.com. https://about.gitlab.com/handbook/security/#security-process.... Yubikey/hardware token or TOPT (time-based one-time password) from authenticator are necessary to access employee accounts. OTP via email or SMS or email is strongly discouraged and not an option for employees.