5,500 accounts targeted in what the federal government described as two “credential stuffing” schemes.