My bet is on the 2017 breach. Those affected/unaffected can share how old their master password is? With enough data points it can be easy to pinpoint.
So presumably back in 2017, the vulnerability was found but considered to be un-exploited, but it's maybe turning out that our master passwords did get breached back then and laid dormant for a few years, to be finally used just now?
What happens with such data is the pastes get distributed eventually (used to happen on a forum like Hackforums or Chan, moved more towards Tor I can imagine). Then it recently got in the hands of an attacker who tried to exfiltrate the data.
We don't know if the attacker tried the same password on a different service, such as Gmail for example. It does not make sense to not try this, given the geoblock.
I remember seeing on a hacker conference in 2019 a demo by some Italians (in my mind I think about Evilsocket) of a phishing attempt where they automated the process of getting the 2FA from e-mail. Geoblock or IP whitelisting is essentially a form of 2FA.
