Security Fail once again
"It's also created an “authentication microservice” that completely separates customer applications from customer credentials"
The question is : why didn't they start by that in the first place ? it cannot be because they just didn't think of it, right ? I mean, I'm not an InfoSec guru by a long shot, but it seems to me that such a configuration is a basic when talking about secure authentication, no ? You want a minimum of internet interaction until you're sure of who it is you're talking with.
In any case, good on them to have made the change. Shame that it had to be following a breach, and that they didn't put the money there in the first place.