Ouch. Somebody should teach them about this novel database concept called a "transaction".
DDoS or not, it should simply be impossible for something like this to happen.
We use transactions. Somehow mysql committed on its own some transactions while it shouldn't have. We have fixed this and added some checks to prevent similar behaviour.