Whose design failure?
"technical glitch introduced after "routine" website maintenance had left their accounts wide open"
Failure to segregate the presentation layer from the back end yet again. This is so basic! and yet is still happens. I seems as if web devs look on the task now as just delivering and running untrusted programmes in strangers' browsers. When I taught web development (admittedly a couple of decades back) we always did sensitive stuff server side with a solid protection layer between presentation and processing.