That sucks that he didn't have any backups, but it was just a matter of time before it happened. But nobody hacked the server; you can literally just throw SQL into the url: http://gitpay.org/user.php?user=%27%3B%20DROP%20DATABASE%20d.... That's why you should never trust any user input.