Two questions....
1. Was the same admin account metinioned in this thread valid for all/most NATS installs?
2. Was there a way for a NATS program owner (or employee) to get the password of this admin account?
If the answer to both questions is yes, there was no need for any exploit or hacking.
---
BTW you probably wouldn't believe how many affiliate programs have serious security holes. It has happened so many times in the last years that we got access to admin data while analyzing the affiliate stats of an affiliate program in order to add it to StatsRemote.
Just a few weeks ago we had a case with a big program (non adult). While querying the referral stats we made a mistake and sent the wrong parameters. The result was a page with a list of more than 1000 affiliates including all their info and total earnings of the last years.
Most of the times companies fix it right away after we let them know but we also had cases when they just didn't seem to care
