Accounts Broken or Bypassed?

“MOVEit cyber attack has more victims” https://infotechlead.com/security/moveit-cyber-attack-has-more-victims-78992

This report that I came across a few days ago still does not refer to the question of whether the culprit breached the data by breaking the password accounts of the people in charge of data protection or the bad guys were able to skip the troubles of breaking the accounts and stole the data straight away.

With some 80% data breaches reportedly being due to compromised password accounts, tech reporters could have asked those attacked companies this simple question — “Accounts broken or bypassed?”. If they refused to answer, they could have reported the fact to the public.

Ref: “By Compromising Accounts or Skipping Accounts?” (8June2023) https://www.linkedin.com/posts/hitoshikokumai_bbc-ba-and-boots-issued-with-ultimatum-by-activity-7072470073235369984-Lpta

Even where data is encrypted or tokenised, the overall security is decided in most cases by the security level of the password accounts of the people who hold a decryption/access key. How is it possible for the tech reporters to stay indifferent to this issue?