It's always a 'sophisticated hack' when companies release details of breach.
At least your credit card details were not exposed. Some sources are suggesting magecart - but I'm not convinced as that is only activated when credit card details are typed into a form and the vast majority of accounts compromised allegedly didn't include credit card data.