I’m guessing the accounts were hacked, not the site. Brute force password hack.
If passwords were hacked by brute-force then is the site providing unlimited login attempts and not blocking frequent failers? If that’s so then your password is practically no protection at all and they can all be guessed, weak or strong.