There is a lot of speculation around third party tools for this. It doesn't look like there was an actual breach of account security, more like many people got their info stolen from third party tools. At least that's how it looks from the data I've seen. They really need to setup 2FA natively.