Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.

I really dislike the way they try and play this down in the doc:

https://update.botghost.com/#-summary-of-the-breaches-