Looks like that was just credential stuffing, though, not an actual vulnerability. Unique passwords and 2FA are enough to stop your account being compromised. They’ve been good enough to refund anything spent as a result of this. There have been far worse breaches and less reasonable companies, although I understand any concern after this sort of thing is reported.