Can anyone explain how this transaction malleability bug can be exploited to steal coins from a Bitcoin address? I thought it can only happen if you are an exchange, like Gox or Stamp, and people are making withdrawals.
I can't explain it to you, because it cannot happen. This is a blatant lie, the OP stole everyone's coins and, as the other poster said, anyone stupid enough to leave coins on a hosted site dedicated to selling illegal products deserves to have their bitcoins stolen.
It
can happen if withdrawals are automatic, requests for re-tries are automatic, and SR 2 used a transaction ID to confirm withdrawals were successful. E.g.
1. A withdraws 10 BTC, tx ID 1
2. A successfully changes tx ID 1 to tx ID 1a (malleability)
3. A tells SR 2 that tx ID 1 never arrived
4. SR 2 checks and sees tx ID 1 is not in the block chain so reissues it. (At least MtGox had a human at this step, but they fell for it too).
5. Goto step 1 until the wallet is drained.
Very poor programming since nothing is final until it is confirmed (including the tx id), and this should not have been automated.
Did this happen or did they take it? Don't know.
Any coins to which you don't have the private key are not yours, they are a ledger entry, so don't store coins anywhere except your wallet (cold storage is best), unless you absolutely have to.