What is preventing them from putting the site up? If they worry about the attacker logging into customer accounts (which, because they claim the passwords are salted & hashed with bcrypt seems not probable) they could just reset all users' passwords and let them log in using activation code. People that have 2nd auth via Google Authenticator will be even more secure this way*. Doing it like this would enable users to decide for themselves if they want to shut down their positions or not. Doing it on behalf of users against their will is just wrong to me.
*there's always a possibility that the attacker tampered with the database. But it's nearly impossible to tell which data was tampered and which wasn't, so either way they're in pretty hot water.
They don't want to risk it.
They don't want to take even further damage on an insecure system, by the looks of it.
I'm pretty sure they would put it back online right now if they could, their time offline is costly for them. They lose prospective users and credibility by the minute. So I guess they just cannot trust the system to put it online even for a minute.
Anyway you do well in voicing your suggestions. Maybe they can actually afford to give it a try, we'll see tomorrow I guess.
It's a bit confusing that they decided to take their blog offline as well. I wonder what are they up to right now. They could do a bit better in the communication front.
Is this true? Is their blog, assumingly hosted elsewhere, offline? This would make no sense to me if true. A/the blog, in conjunction with this forum, would/should be the main source of communication to their users for them.
Please correct me if I'm mistaken.