It's unfortunate that this occurred, however the summary of this boils down to what security professionals already know - people are your weakest link. I've been working in cyber security roles for almost a decade now and it amazes me when I read articles like this.

There was serious investment involved, you knew there were threats and vulnerabilities and therefore also knew there was risk. It does not appear that an impact assessment was even considered in this scenario. Risk = Threat * Vulnerability (this is Asset Value * Exposure Factor = SLE or Single Loss Expectancy * ARO or Annual Reoccurance ), these together are the formula for risk and provide the ALE or Annual Loss Expectancy. Things will happen, one must plan in advance for them and there is a cost associated with them, monetary or other means.

With all that mind, the simple answer here was - you had serious investments. Did you not think to invest anything to protect them?
Did you consider how or what threats might impact you and how you might mitigate them? What about auditing and accounting - not your digital assets but the access to them?

Example, if you accessed information from a VPS (I speculate for a concept of anonymity), you mentioned a form of identification and authentication (a password) but regardless of 2FA, what forms of authorization were in place and what was there to ensure that auditing and accounting could be done so that the confidentiality, integrity and availability were maintained?

Folks, simple answer here - think about what you have that you are attempting to secure, from whom and what can be done to address the risks remaining. It's simple, people do this daily and while I feel the "swans" playing their song in this thread - clearly this individual did not exercise either due care or due diligence - the only fault is their own.