Or it's just credential stuffing matching email with plaintext passwords from other old breaches, or they created 100 accounts and thus know the password, etc.

Until a more detailed investigation/write comes out it's difficult to say for certain what they have, if anything.