The more concerning part is the use of valid username/password combinations. Unless they literally set this up as root/root (not...as implausible as it should be but from the description it seems unlikely) then how did they get them?
(and even if that is what happened, it goes back into "holy shit how did that happen?")
I mean, honestly I wouldn't be amazed if one of the DOGE peoples' personal laptops (which I assume they were using, because no-one involved in any of this seems to have the first clue what they're doing) was compromised. If they saw outside login attempts within minutes of account creation, then, as you say, unless it was root/root or similar, presumably fairly realtime data exfiltration is going on _somewhere_.
EDIT: Also, given that the attacker had correct credentials and was only stopped by an _ip address_ check, we may assume that, unless the attacker was particularly incompetent, they likely got in.
(and even if that is what happened, it goes back into "holy shit how did that happen?")