I think it's the hacker that should hold the chief responsibility and the fault is on the hacker. But the developer of the operating system is also responsible for this flaw and the loss of owners of  the sensitive data. As a system developer, especially when the system holds sensitive data, one should be cautious and conscientious enough to make the system indestructible. All in all, the developer is responsible but only holds about 20-30% of the responsibil