If I have a business and I use a company like sendgrid, I have credentials to use that service. If some employee has access to that account (such as to send newsletters), and that employee’s credentials were lost or stolen, that doesn’t seems suspicious at all.
I don’t have any inside info here, but it makes sense. And as a namecheap customer, I see no reason to panic at this time.
Employees should use 2FA for their accounts and Sendgrid seems to offer this; for password stored in sending applications one can use combination of password and IP ACLs but I don't know if SendGrid allows to set IP ACLs for senders. While 2FA is not a panacea it significantly reduces rick.
One can send newsletters using a subdomain like news.acmecorp.com and have Sendgrid's IPs in SPF record only for this subdomain and not for the main domains (though most recipient would not notice change from say @acmecorp.com to @news.acmecorp.com).
I don’t have any inside info here, but it makes sense. And as a namecheap customer, I see no reason to panic at this time.