The credentials were exposed via an attack on third-party software ...