It is hard to believe that cryptopia would store coins in an insecure hot wallet. I think it was an inside job, done by technical staff that had access to certain passwords
Have they actually released any details about the hack, or made any statements about whether cold storage was compromised? I can't even find a statement from Cryptopia about whether they used cold storage at all. We take it for granted they did but who knows?
When Bitfinex got hacked a couple years ago, it was revealed that all of their bitcoins had essentially been kept in a hot wallet, secured by online keys and Bitgo API keys which were also stored online.