It's pretty simple: both parties are to blame. PHP Fog did not do due diligence in securing their servers, and the attackers committed illegal and distasteful acts.
If I leave my front door unlocked and someone walks in, there are several possibilities. If they just look around and leave, or say lock the knob behind them and walk out, that is one thing. If they smash my furniture and knock over all my plants, that was their choice, right? That action is illegal and immoral regardless of the fact that it was my negligence which made it possible. We all know these dumb kids should have reported the vulnerability responsibly. That would have benefited everyone, especially themselves. They might have been getting job offers instead of bad reputations.
If I leave my front door unlocked and someone walks in, there are several possibilities. If they just look around and leave, or say lock the knob behind them and walk out, that is one thing. If they smash my furniture and knock over all my plants, that was their choice, right? That action is illegal and immoral regardless of the fact that it was my negligence which made it possible. We all know these dumb kids should have reported the vulnerability responsibly. That would have benefited everyone, especially themselves. They might have been getting job offers instead of bad reputations.