Here's their official message:
They are not specific about how much money was stolen from them, and when their security was weak enough to require a whole re-write, one must wonder about other issues on there. So don't trust anybody out there in this industry.
Editor's note: An earlier version of this article contained implications that ShapeShift was custodian for more customer funds than it really is. Most transactions with customers are done within 0-20 minutes and customers do not store their funds on ShapeShift. Therefore, ShapeShift is a middleman/custodian of the funds that are used in pending orders, but those only last for up to 20 minutes. Thus the funds at risk are relatively low if the system is running properly like this.