They made an apparently appalling security error; in the name of transparency they should be more specific about what code was the problem and how this bug worked so people have a better idea of really how bad they screwed up. Right now it could be something that could have blindsided anyone or something incredibly obvious that they should have seen or had some process to detect.