This actually makes me wonder if cal.com has had a security breach in their hosted offering that they are not disclosing.

It seems to be more that they're using "security" as a reason for going closed source, so this is just sticking with the story.