The attackers can obtain sensitive information via a direct request to a backup file in administrators/backups/, because the plugin stores database backup files with predictable names under the web root with insufficient access control.
Update the plugin.