If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?
They've addressed this before.
He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.
While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.
I think that's how it goes, anyway.