The only public evidence I've seen for the multiple breaches claim is screenshots showing that a CMS let people create pages with new names and those pages would be served up, accompanied by hyperbole.
Stupid, but the screenshots were also showing plain text, so there's also a slim chance that there wasn't even a cookie-stealing attack made possible by this. Just bragging rights in getting plaintext up under an available name of your choice.
Stupid CMS for some web content is a long way from breach of the signing systems. If your news source is a company which sells security services, then hyperbolic claims on their part in talking up the implications of what they found is to be expected.
I'd hope that technical decisions about trust are based on more than panicked responses by non-technical decision makers to hyperbole they take at face value because they don't understand the issues.
So I'm assuming that there's yet more to this story that hasn't come out yet.