This is the case when attackers don't get access to the database itself - imagine they were able to listen to connections between users and front-end servers, and extracted authentication information. This would only concern users connecting during a specific timeframe.
In this post for instance, they indicate that attackers got 'sync users’ passwords' while storing only 'encrypted/hashed data'.
Other possibilities: they accessed a partial backup (or prod data used in dev), a caching system, a message broker (Kafka)...
In this post for instance, they indicate that attackers got 'sync users’ passwords' while storing only 'encrypted/hashed data'.
Other possibilities: they accessed a partial backup (or prod data used in dev), a caching system, a message broker (Kafka)...