How did this breach happen?
Bug in Lemmy-UI's custom emoji code that allowed for Javascript XSS to be run.
What information was compromised?
All of it. The end is nigh (!)
More realistically, account authentication tokens were scraped, by using that Javascript XSS to bounce through a site. It's also how they were redirected.
Are admins present 24/7, or are they lumped into specific time zones?
Since the server is hosted in Finland, I'd guess either European or American time zones, it tends to be either one of the two.
What steps will be taken in the future to prevent breaches such as this?
Literally nothing. Not much they can do about a bug inside of the web UI that causes an operator account to be compromised by using XSS to redirect to other sites, where the authentication token can be scraped.
You want to check with Lemmy developers for that, but I imagine that fixing the bug tends to be the best way of prevention.