Of course it’s a public record.....Auditing them is NOT.
Currently the story has drifted a bit from a focus on new applications to existing authorizations. The public record shows your existing authorizations so that's how the bad guys found out who to target.
The question is how did they get word to staff people to do those audits!~