One of the common statements in development and indeed here is "when will people realise you can't roll your own auth securely and should just use a third party service".
There are a few security mantras that I wish we could get through to people on, but we security people are often guilty of having a correct answer that moves around based on what just occurred.
I've never heard your version ending with "just use a third party service".
Usually that phrase refers to libraries made by experts, not services that might be setup just as amateurish as one's own, with the drawback of monoculture on top.
There's a false dichotomy in assuming the alternatives are 'single corporate borg' and 'a million little handrolled systems'.
Separate websites and online services having their own authentication bubble but implemented with industry standard libraries would probably be a better alternative to both.
The gossip is that it's actually ransomware (and not having backups) and they're just saying hacker because it's less humiliating to admit. No data/evidence though, just gossip.
When will people understand that any centralized auth-related service is always going to be a prime target for criminal forces (hacking or not)?
One really doesn't need an IQ higher than 50 to understand this.