What? No, that isn't "how Git works"!

Yes, of course it's possible to claim to be someone else on an unsigned commit, and that's a good thing nearly all the time, because otherwise things like git cherry pick or git rebase would fail unless every single commit in question were owned by you.

But git does not let you rewrite the root of your tree of commits under any circumstances. Each node in the Merkle tree that is a Git repository has the hash of all its parents encoded into it.

In order to substitute your new tree for the original one, you'd have to generate a hash collision each node, which is very hard but not impossible for SHA-1 in general but has never been demonstrated for git because of the many additional constraints.

What happened was much duller - someone subverted an email account, and simply rewrote the whole tree in one place.

But git is a distributed system. Everyone else knew something was wrong when this new tree had nothing to do with their tree. Many other nodes and developers have a copy of the whole tree and were able to put it back in an instant.