[jarito]

I think you may be a little off here. The statements in the thread seem to indicate that the compromise was not based on a vulnerability in custom software, but compromised credentials. You can certainly argue that the management console should be protected by two-factor (and it should be), but their software doesn't seem to be at fault here.

I would be willing to bet that they have had the system tested by external security contractors and scanned with automated scanning tools. This seems to be a people problem and features problem not a vulnerability problem.

I guess we just don't know at this point. You may very well be correct. I guess if you want to use an open source provider, just make sure they are running OpenStack (openstack.org).