Ok. How do you access your servers? Console access? That's not locked down via ip then either? So I can login from anwhere in the world?
Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways. In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.
So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.
I VPN with both certificates & passwords, in some cases also with RSA. Never locked down to IP, so yes from anywhere in the world.
The culprit was able to fool an incompetent sys admin into allowing him access. Probably via console, yes, or by tearing down the firewall, changing the passphrase, etc. At this point we don't know if it was a dedicated or VPS.
Garbage might have been the wrong word. Please, stop fear mongering.
I was going to stay quiet in this, however seeing that you are trying to censor people who have legitimate concerns, and I happen to have a few BTC worth of coins on your exchange, I think its time to say something.
#1. its not "fear mongering" if he is speaking the truth, he is just asking questions/making statements that YOU dont like, therefor its "FUD"
#2. You are too easily passing the blame on to the Sys admin, your site has already been hacked once and lost money that you then ILLEGALY created debt instruments to get back the money that your incompetence lost in the first place.
#3. Chiz is the guy that I talk to when I have a question about security for any of my sites, so if i were you I would be asking him for help or to tell you how he might fix an issue like this so it never happens again, not just calling him a "fear mongerer".
TLDR, dont be a douchebag and listen when people ask you questions. You haven't learned from the last hack, so start learning now or shut down your exchange.