From what I’ve heard people got their accounts at random other companies/ services hacked, their emails and passwords were posted/ sold online, and then the hackers bought them and tried entering them into 23andMe which succeeded for a number of users who use the same creds across services. I agree the article could have been clearer, but it does seem like a meaningful distinction to me that 23andMe itself didn’t get hacked
I’m relatively sure that’s from the same incident