What I’m saying is this. First the hacker has to find loop holes in any of the plugins. That in turn allows them to upload a file giving them the needed info. Which in turn they sell to other hackers where to find the information. And if any plugin pulls that information especially on a nonssl site can be swiped in the process of plugin > database / database > plugin. They don’t have to view the dashboard to get the information.
Hosts constantly update their servers to help with issues like that. But with the plugin pulling the info for them they know the minute it’s updated. And like I said with the plugin pulling the info they can simply pass through the plugin>database/database>plugin. They have no need for a file to remain on the server for the info, making it extremely hard to pinpoint the troublesome file.