The specific set of data doesn't make sense either. If they were able to retrieve password hashes then I'd expect they'd have all of the user fields, which they're not claiming to have. If the threat...