The database, as far as I can see, was not breached. If this is an Oauth attack, I believe they would have used someone's Oauth token to make requests via the Admin API (you can do a lot with it) and then from there you could basically just get whatever you wanted. I'm wondering if there is someone who's a Moderator/Admin on Poast and on Baest, who perhaps used the same password between accounts. If this password was breached, a bad actor could log in, pull the bearer token (from each account), then use that bearer token to authenticate and send those requests to the Admin API endpoint, then file them in individual folders for the relevant data.

Images that you send in DMs don't go anywhere special - they go to the exact same endpoint as the rest of the images you upload on the timeline, it's just that the view scope is between you and the other person, rather than the public timeline. In theory, if you knew the hash of the image, you could just plug it in to the browser and find an image that someone posted in DMs. Don't use fediverse DMs. If you do, stop it.