I wonder if alerts did come in, but Microsoft didn't respond quickly enough. That's giving them the benefit of the doubt, though; very possible they weren't monitoring this system. If they were, they probably would have identified the fact that it was exposed to the internet via a public GitHub repository....

Agreed. That was a great read and cautionary tale about not following best practices!