[jkat]

21 character reset was generated via 3 separate functions each generating 7 characters each. 2 of these were old and weak, resulting in a URL that could be brute forced.

Once discovered, they analyzed 3 years worth of logs to see who was exploited (not clear how they matched it..maybe scanning for brute forces?) and found 3 sites all related to bitcoin.

The weakness in the algo has been resolved by using a 2 real random functions to generate 64 random characters