Actions from a real-life breach raises questions about poor password hygiene accountability and why users, policies, and security controls must work together.