But if they had used the password changes API to assign random passwords to all accounts, as suggested, then the data couldn't be modified. Am I missing something?
Parent's point is that any conclusion one could make from the data is worthless because, being public and unsecured, it could have been modified by any Internet user at any time before a password was set.
Secure your damned database.
The fault and responsibility lie with the deploying organisation and tools vendor. Meow is just the messenger.