Also as DDG is based in the US it is most likely legally bound to give your informations to any agency with a nice gag order on top of it.
I can’t imagine any serious privacy oriented business to be headquartered in the US.
The whole better privacy is true with DDG but certainly not to the extent people would like to think.
That being said DDG has decent search results and is slightly better than Google for privacy. Google is an ecosystem so every little bit you don’t give them is a success.
It’s really too bad we don’t have good private search engines…
Is it possible that this password was really your gf’s password in the past ? It could have leaked long ago and the hacker just decided to use a previously leaked pass to be more inconspicuous.
I don’t think this whole story is so wild, it could be just coincidental. The hacker knew somehow about her DOB and thought this would be an easy password.
Rest assured a hacker wouldn’t want to use their own password or reuse even one as that could link to previous nefarious activity. So they had to set up a brand new password just to move forward. So they set up anything personal they could get their hands on.
PS: you should check haveIbeenPwned for the address of your gf.