I read about how the hackers broke in and holy hell it's embarrassing. Basically they left a bunch of validation up to the client instead of enforcing it on the server. Hackers just emulated their own client and forged a different fields in the request and the server just let them do it.