I wonder how they got access the their database? I read in this thread that they likely used a supply chain attack by replacing some polyfill scripts. So they could've injected malicious code (XSS) that logged email and password to a remote server which they could have gone through. With a bit of luck they couldve gotten access to an admin account or whatever…
That much is not clear yet. It's possible the polyfill is an unrelated red herring, but it's also possible they somehow managed to elevate permissions. Seems the polyfill use was self hosted as well.
Maybe they managed to convince some critical service like an SSL cert provider that they were the owners of the subdomain? I don't know still wouldn't explain access to user and password database.
