My quick two cents …
First, the changesets referenced here may or may not be related to the hack as there have been other vulnerabilities that have been introduced and since fixed, as this one has been since fixed for quite some time.
Spending time attacking and critisizing vs. constructively tracking down and and helping to find better solutions doesn’t really do anyone any good and in all reality, has a very negative affect on the project. If it does anything, it hurts everyone because volunteer developers simply choose to go elsewhere vs. take the un-warranted abuse that is doled out in such exchanges.
Everyone is human and they make mistakes. It’s Open Source and that is one of the great things about Open Source, it is viewable by everyone and thus collective minds can track things down. Reports of banks the size of Chase Manhattan being hacked is a perennial event in the news. These are institutions who’s IT budgets are counted in the BILLIONS of dollars. Given that, to make the insulting comments to members of this community that are being made here are simply un-called for. We are a community, let’s try to act that way please.
As far as the latest exploit that is likely responsible, it was published Monday, reported yesterday and fixed and published this morning. It allowed an unauthenticated user to obtain the ARI admin credentials, nothing beyond that though often those are set the same as the FreePBX Admin credentials and not changed.