Direct link to an unofficial and 3rd party retrospective, it would seem.

> As Squarespace has yet to release an official statement or postmortem, the following is our strongest theory on how the threat actor was able to gain initial access to Squarespace accounts. It is the most likely explanation given the information we collected from numerous affected companies and experiments we ran ourselves.