It's unexpected to me that someone with the technical knowhow to build spyware like this and a nice web interface for it, made basic mistakes like storing passwords in plaintext and piping unescaped user input into database queries.
Something I've learned over the years is that even very talented developers can be really bad at security.
In many cases it's just not something that's taught at school or that is covered in training. So it's a mindset that just isn't there, even when they're great at other parts of the craft.
If you're building anything that is going to be exposed to the public Internet and you aren't, at some point, going through the exercise of "how can people break or abuse or hack this" then you're missing a step for sure.
Malware developers often prioritize functionality and speed-to-market over security hygiene, operating under the "security through obscurity" fallacy that nobody will bother attacking their infrastructure.
