They are guilty of implementing a mechanism that was broken by design, and wasting customers' money. They hadn't been hacked or stolen from - the "attacker" didn't need to hack any particular security mechanism, he was just smarter at how their market worked than the owners.