During a "manual" migration the wp-config.php from my old site was renamed to wp-config.php.orig, and left in the html folder, meaning it was publicly viewable to anyone.
PLUS, a database dump was performed and left in the html folder, exposing the entire database to anyone who put the URL into a browser.