I’m not sure about this headline, it appears that, according to the company that makes WordPress Multi Language, the plugin code itself wasn’t hacked, just the customer database. Nevertheless, we see yet again that it wasn’t outside hackers causing problems for the company, it was an inside job.
WPML claim that the email came from a former employee, who left a backdoor on their official website. They were then able to access the companies database and sent the mass email.
The lesson, as always, when someone leaves or is asked to leave, be wary of what they’ve left behind. Especially when they have access to web servers, and customer databases, etc. Tech folks can be one of your most valuable assets, but they can also do the most harm to your organization.