> permitted a single ECS task role "read access to every secret in the account, including the production Redshift master credential."

...

> noting that the stolen information was old and consisted mostly of non-critical details

So I guess 'mostly' is doing a lot of heavy lifting, and they hadn't rotated the credentials in a long time