I can confirm that yes, credentials for SolarWinds' FTP server were exposed in publicly accessible GitHub repositories, and yes, the password was Solarwinds123.
That doesn't necessarily prove that the attackers behind Sunburst used those credentials to breach SolarWinds, but it would make sense -- skilled hackers, whether they're red teamers/pen testers or nation-state threat actors, look for exposed credentials in places like GitHub as part of their initial reconnaissance.
In any case, this is BAD. In terms of widespread, devastating hacks, it's not the absolute worst-case scenario, but it's close. The only silver linings here are 1) someone, possibly Microsoft, detected the campaign, and 2) it seems like threat actors, if they are indeed Russian/APT29, breached these government agencies in advance of January in order to spy on the incoming Biden administration, and that effort has been disrupted.