For a concrete example, someone could infect an image storing service with code that encrypts (and silently decrypts) the data when it's stored / retrieved. When the hacker removes the decryption key from the running service, the backups will also be inaccessible because they are also encrypted.
Are user accounts data or systems? Compromise of AD is a very common means. This said this can still be fixed before putting it back where it could reach the internet and cause trouble.
Our backups were the data, not code or systems (which were IaC and rebuilt as needed).