If you haven't already...
I like the bit in the middle of the article:
'The attack was able to use compromised credentials through a temporary VPN profile that had been activated by mistake and didn't have two-factor authentication enabled.'
This is from what is (or is pretending to be) a computer security company, really!
Seems a bit strange every time a company gets hacked the attack is always "extremely sophisticated".
It may be true sometimes, but I doubt it is true as many times as the oft trotted out phrase is used.
And in the case of a security company I would say it is ineptitude or complacency to blame rather then the sophistication of the attack.
A bit like call centres' line of 'We're sorry but we're really busy right now' when they just can't be bothered to pay for the staff needed to provide the service.
And thanks El Reg for reminding me of the CCleaner thing, not that I ever trust 'cleaner' utilities.