As the company explains in its fess-up post, the source of the leak was an inadequately-secured GitHub repository: an employee wasn't using two-factor authentication. 8Tracks found out when there was an unauthorised attempt at a password change, and on investigation it found backups of database tables in the staffer's repo.
The source of the leak was storing backups in source control on a public service, and inadequate access controls - either allowing devs access to production data or ops to source control! How does 2-factor auth address that?