Damn, their web site is so awful. If the code for it is all in github and the token got loose, maybe the right attacker could have cleaned up the slow javascript bloat, made the search system a lot better, fixed the login bug that makes logging in fail more than half the time depending on your browser, streamlined the ordering system, etc. We missed our chance!