Actually I also have a strong suspicion about it, a program that was created must have been equipped with high security layers. Especially when it comes to user property rights, such as brand assets on the platform, of course the security of the platform is made as perfect as possible. While there must have been a loophole, it would have taken at least years to get to it and it wasn't easy, unless it was an insider's negligence that led them to lose their exchange assets through their own fault.
I would guess that a bad security is not out of question neither. I get that everyone thinks "if you are guarding millions of dollars then you would have a good security" but you have to remember it is not their money and they do not care about security as much as you think they do, they say they do but in reality, they don't.
There was a company in my nation that said they care about security to an insane level, like they spend 70% of all their profits to constantly increase their security and we are talking about tens of millions of dollars when we say 70% of their profits, so what kind of security would you imagine if you spent tens of millions of dollars on it? Great one right? Well, they got hacked and they are now gone, so it means they lied to us or they were screwed as well. So do not imagine it to be as truthful about it as they might be.
In the particular case that you are bringing it is obvious they were lying, no company is going to spend 70% of their budget on securing the funds of their customers as that would be highly inefficient, and the fact they got hacked shows this was not the case and this was nothing more but a way to try to sell the image they were extremely conscious about the security of their clients only to fail at the end, something that is also quite common in this market.