The site’s maintainers said the attacker was able to access the account through “the reuse of a session token found in an old database leak through faulty configuration of session management”.