Analysis indicates the data was aggregated over time from multiple sources, including malware infections, phishing campaigns, and older third-party breaches. There is no indication of a direct compromise of Google’s internal infrastructure.

Everything is vulnerable to that, including proton.