It appears someone used a combination of XSS on an Apache domain, a url shortener, and an issue tracking system to ultimately lead to rooting of 2 core Apache machines used to host bugzilla, and the main shell server. This is a great breakdown of a real world incident that people rarely publicly speak about, so rather than repeating what the apache blog says here, check it out for yourself it's a good read.

Details: https://blogs.apache.org/infra/entry/apache_org_04_09_2010