The hacker found that the stats token, that a user can use to access their own account information, does not expire when an account is deactivated. This was resolved so the view could not be used after deactivation.
Application has a feature
Authorize your 3rd party stats that provides users a way to generate
auth token to track their statistics. The flaw was even if users deactivate their account
auth token was not getting expired which allow third applications to track users statistics.