I think one fair criticism is they could have had intrusion detection trigger when, presumably, the same IP address was logging in to thousands of accounts. But who knows how sophisticated the attack was?
[edit]: there are other obvious heuristics that could have detected it, it does show they had either very basic or no intrusion detection, which, for a service of this nature, isn't really acceptable
[edit]: there are other obvious heuristics that could have detected it, it does show they had either very basic or no intrusion detection, which, for a service of this nature, isn't really acceptable