Brute forced?
Not at all. They simply used the same set of keys that everybody gets and then opened the door and strolled in.
I suppose when you market an "easy to use out of the box" commerce site building tool, then some people may think they need to just follow the instructions given and that'll be all they need to do, In which case Magento should have been a lot more thorough on the documentation for installation and configuration with big warning sign sections on vital steps such as this.
However, when you're getting to the level of taking online payments using such a product, it SHOULD go without saying that you shouldn't really be doing that sort of stuff without getting it thoroughly checked over by a security expert. And I mean an expert with a solid track record, not a "my mate Gary who knows a bit about computers". Wonder who's going to end up liable for the stolen money? I sispect the card issuers might not be looking too fondly at this product right now.....
Biting the hand that feeds IT
