The company has now posted an explanation of how it happened:
During the investigation into stolen funds we have determined that the extent of the theft was enabled by a flaw within the front-end.
The attacker logged into the flexcoin front end from IP address 18.104.22.168 under a newly created username and deposited to address 1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy
The coins were then left to sit until they had reached 6 confirmations.
The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to “move” coins from one user account to another until the sending account was overdrawn, before balances were updated.
Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough.
Having this be the demise of our small company, after the endless hours of work we’ve put in, was never our intent. We’ve failed our customers, our business, and ultimately the Bitcoin community.
Please direct any and all questions to admin(at)flexcoin(dot)com and we will reply to you as soon as possible.