I wonder if they also fell victim to the deadly credential spraying (see not having 2fa configured on a legacy machine that was somehow still running)