I'm glad to see this release, only I wish it was made a week ago. Hopefully it'll put to bed at least some of the conspiracy theories and accusations.

I'm wondering why they couldn't have be more forthright, however. Was there an NDA or gag order involved, or did they just want to be sure to have fully investigated and sealed the security holes before informing us?

An NDA might make sense, as many website and software sales that involve residual payments also have a holding period during which the previous owner is somewhat liable for certain issues (Previous patent claims, undisclosed legal or security issues, etc). Revealing anything about the residuals and the former owner's involvement post-sale might have been in their contract, which would ostensibly include talking too much about the hacked account.

(I'm not a lawyer. I only know some of this because my stepbrother just sold his software company)