Why would that be the case? If you stored strong salted hashes of the URI keys, then it would be next to impossible for the attacker to brute force valid URIs out of your DB. The fact that the actual keys appear to be stolen and you set up a long time (3 months) instead of a short time for claims process raises suspicion.

Please do officially confirm that you did not store the secret in plain text on a webserver.

Also, how do you store user passwords in other Paymium services? Thanks.