SITA characterised the approach as "highly sophisticated". I wonder why a group of that calibre would spend their efforts targeting this kind of data, which by AY and SQ accounts poses but a "very limited risk". Is there something we're not being told?

Changing passwords regularly is standard procedure even in normal times. Different password per site, high-entropy passwords, and let a password manager take care of them. 2-factor login wherever the inconvenience is not completely prohibitive. I would never store my credit card details on AY website no matter how convenient it may render buying tickets.