both, but mostly lazier. first time they rotate everything in a frenzy. second time it's 'eh, detection worked' while the creds are still hardcoded in the app config nobody audits.
that "eh, detection worked" confidence is terrifying. do you think they actually learn anything between incidents or just patch and repeat?
1