Well they've got all of the private information you inputted when you signed up, or which they got when you signed up which is going to be email, ip, etc.  And yes they do have your private keys, nothing you can do to get around them holding them.

They've been pretty security for the past year or so, but before that there were large privacy concerns with them and hackers stealing money. If you have large sums of money don't trust an online wallet, go buy a HW.