With the transaction timestamps of the rogue BTC address, it seems likely that the hackers were modifying the DB directly using a script, changing payout addresses and initiating payouts in succession.  They didn't even need to enter PINs.  This risk was practically eliminated by middlecoin by paying out to the username BTC addresses only, and transmitting the amounts daily when the threshold was reached.  Something for aTriz and nearmiss to think about.