im actually kind of suprised. When they said that the hacker had private keys, i was thinking he could hashcat them to get passwords... but i figured with 16 characters that would take an unreasonable amount of time.
I figured with a 16 digit password even the weakest passwords would be relatively hard to guess... though i do support 2FA