I tend to agree with you - 2 observations
1. It was both the App and the Website - so presumably that narrows it down further.
2. The detailed timing of the window suggest it was associated with either a BA or Thirdparty code release to me, or worse an explicit intrusion that they have already traced. Considering they only shut down the breach on Wed they have gathered a big chunk of forensics in the first 24hrs.