Well, it may have to do with the fact that he was not using prepared statements in his SQL.
This update from one of his mods in December 2015 casually mentioned that he started using prepared statements.
Forum Moderators - Updates
He may not have even realized how big of a security risk it was at the time, until a nefarious sort saw the potential in his add-on(s), found a site running an old version of it, and hacked it.
Maybe xenforo got involved, reviewed the add-on, and told him to make sure he's using prepared statements and put out a notice?
This is pure speculation on my part.