I doubt they "breeched the cloud service" provider. They almost certainly exploited no 2fa controls on the clients access via the clients network, which is what GP was saying. If you're on a businesses network it's too easy to get at their cloud storage or dbs because they should be on a secure overlay network.