It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
Malware developers often prioritize functionality and speed-to-market over security hygiene, operating under the "security through obscurity" fallacy that nobody will bother attacking their infrastructure.