That much is not clear yet. It's possible the polyfill is an unrelated red herring, but it's also possible they somehow managed to elevate permissions. Seems the polyfill use was self hosted as well.
Maybe they managed to convince some critical service like an SSL cert provider that they were the owners of the subdomain? I don't know still wouldn't explain access to user and password database.
Maybe they managed to convince some critical service like an SSL cert provider that they were the owners of the subdomain? I don't know still wouldn't explain access to user and password database.