I wonder if keys were generated by some deterministic wallet first, and then truncated to N bits. Because in that case, it could be possible to recover the master key, and then sweep coins from all of them, while it would not mean that ECDSA is broken (because HD keys could be non-hardened).