I've been a victim of this also. I got an email that somebody had logged into my account on a device in Hanoi. Obviously not me. I checked the login history and the first login starts 7 January, and continues until now from a series of locations around the world.
Why was I not informed about all these other logins? They were all in the web application, but it should have raised a red flag, and I should have been notified.
I had an anomalous deposit into my checking account on 10 January that I had to spend some time with my bank fixing. Now I know where they got the data from.
Reading these accounts makes me think this is much more serious than they are letting on. I am downgrading/canceling. This is a huge problem. Advice on how to save these data and migrate to a new, more secure application?