Good and bad here
Bad points for the break-in. Shoddy code ? That's a shame.
But A+ for handling the fallout. Full admission of the break-in, without pussy-footing about the issue. Passwords salted and hashed, miscreants aren't going to be able to do much with that. Premium subscriptions reimbursed, can't fault them there.
Promise to do better ? You betcha.
There are a lot of companies who could take notes here.