Regardless of what corporation it is. Always assume they got hacked.
Unless of course all their users' data is end to end encrypted, all with unique keys.
if a company like that gets hacked then it's like an intruder in an apartment complex, you got through the first door, now you need to break into each account one at a time.