The above fact pattern does not say with certainty that the images came from binance/one of their vendors. It also opens the possibility the "hacker" obtained the images via means unrelated to binance.
All the selfies (which you can find examples of online if you want to go looking for them) were of users holding up pieces of paper with "Binance" written on them alongside their ID. There is no reason that any company other than Binance or their third party partners would have thousands of such pictures. And regardless, Binance admitted the data came from a third party that they sent users' KYC data to, they contacted all the users in questions to tell them about the hack, and they gave them all free lifetime VIP memberships. So yes, it was Binance's fault despite their initial statement that nothing had been "obtained from Binance".
This statement in this case about nothing being leaked from "their own servers" is exactly the same. Binance are neither honest nor trustworthy when it comes to security of data.