Conveniently for them, they only kept 2 weeks of logs (this is a 3 year old bug). I might implement that at my company. Take two weeks to patch and test the security hole, then review my two weeks of logs for any evidence of a breach. Then tell customers we haven't found any evidence of illicit access.
Not only that but does anyone actually believe they only kept two weeks of logs? I find it very suspect that the company known for amassing data only keeps some data for two weeks. How convienent for them.
