Monitor your databases people
Would it really be that hard to monitor database queries and shut off connections if it requests too many rows or performs too many requests? Such a basic bit of protection would do wonders to prevent breaches like this. No legitimate user is going to request tens of millions of rows of data over several tables, so why is doing so allowed? At best, its a bug in the code that should be fixed that should be blocked and rectified anyway.