There is a story in 'The Register' and the comments discuss how it was probably actioned.
http://www.theregister.co.uk/2018/04/11/great_western_rail_advises_customers_to_change_passwords_following_breach/Great Western Rail is urging all customers to change their passwords after identifying a successful attack to access GWR▸ .com accounts over the last week.
The train company said circa 1,000 accounts were directly affected out of more than a million, and has written to those customers and the Information Commissioner's Office.
"We are now asking other account holders to do the same as a precaution against potential further attempts," GWR told The Register p>
"This kind of attack uses account details harvested from other areas of the web to try and catch out consumers with poor password habits. Sadly, it is the kind of attack that is experienced on a daily basis by businesses across the globe, and is a reminder of the importance of good password practice.
"We have acted quickly and decisively with our partners to protect our customers' data, and have taken clear steps to stop it happening again."