It seems that VRC PoS vulnerabilities are not fixed yet so attacks like this are possible.
This wasn't a PoS vulnerability.. it was an attack on the exchange, an exchange vulnerability... read the doc released by the devs.
But VRC PoS vulnerabilities still remain. It's not safe to invest until PoS is fixed. I hope dev buys a working PoS (license) if they are not able to fix it by their own.