So presumably back in 2017, the vulnerability was found but considered to be un-exploited, but it's maybe turning out that our master passwords did get breached back then and laid dormant for a few years, to be finally used just now?
What happens with such data is the pastes get distributed eventually (used to happen on a forum like Hackforums or Chan, moved more towards Tor I can imagine). Then it recently got in the hands of an attacker who tried to exfiltrate the data.
We don't know if the attacker tried the same password on a different service, such as Gmail for example. It does not make sense to not try this, given the geoblock.
I remember seeing on a hacker conference in 2019 a demo by some Italians (in my mind I think about Evilsocket) of a phishing attempt where they automated the process of getting the 2FA from e-mail. Geoblock or IP whitelisting is essentially a form of 2FA.
