The contract code said, "if you have a valid (off-chain) private key, you can mint tokens." The hacker gained access to their AWS account and ultimately their keys.

While I am happy to celebrate dumb crypto stuff, this isn't a situation where someone's code was "exploited." Their code was stupid, relying only on an off-chain private key to allow the minting of tokens. Their security was just also bad.