If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?
They've addressed this before.
He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.
While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.
I think that's how it goes, anyway.
We cannot assume this is the case, he may have randomized his own seed, but we're ignoring the true danger here. He may know the seeds to many whales or to even other accounts he has that DB doesn't know about. And the seed isn't the only vector here for such a disastrous situation.