What the page doesn't tell me is: What is their definition of an "affected" account?

Obviously one where an attempt was made, and succeeded, would count as affected.

But would an account where an attempt was made, and failed, also count?

What if the userid and password are correct, but 2FA stopped the attack on an account. Is that account affected, in their view?

> But would an account where an attempt was made, and failed, also count?

I wouldn't think so. There must be countless incorrect password attempts all the time.

> What if the userid and password are correct, but 2FA stopped the attack on an account. Is that account affected, in their view?

Interesting question. I'd hope they'd inform me if somebody had my password and was only blocked by 2FA.

Wouldnt you have gotten unexpected 2fa notifications if that were the case?

For either method, you can audit the activity of your account on the GitHub security page: https://github.com/settings/security. For example, upon having deliberately got my 2FA token wrong, "user.two_factor_requested" and "user.failed_login" events were logged for me.