Not compromised?
So it says no one's data was compromised. Does that mean none of their tools log in to their servers, or have any auto-update/news/whatever functionality that calls out to their servers? Because, if so, that means users may have been connecting to an attacker-controlled server. In theory, one could use this so send an 'auto-update' of their own, or otherwise send tainted input to the client.