It would be better to ask the affected customers to sign a message with their hacked wallets to be eligible for a refund. This is the best way to prove ownership of a wallet without exposing its seed.
But there is a more serious problem, imo: they claim they don't save their customers personal information (no kyc) and since the hacker manged to move the victims funds then he certainly has their wallets seeds too.