Honestly with all of these security issues in play, I'd really hope GGTor completely scraps their website and start fresh.
This is web dev 101. You cannot get user authentication and authorization wrong, ever. Doing so could cost anyone millions of dollars in damage and legal fees if circumstances are correct. I cannot ever think of an organization to do such a thoughtless action, and this was intentional. There's not one bit of tutorials out there that will teach you this is how to do authentication. This was a conscious decision from their team, and it's here to haunt them.
I'm in no way blasting GGTor, I really hope this gets to them as constructive criticism. It's not easy building a large platform, and not easy to build one fast. That's why we have frameworks and packages to help us build quickly.
I would emphisize to GGTor that their current structure should be abolished in favor of a complete rewrite. I don't want to ever see that light of what would hopefully be their old backend, and I wish for them to do everything over from step 1 with the correct and well-secure methods we have available now-a-days. I really really hope that they find more flaws in their system so that it can be patched, because this as the first thing we notice? I'm really thinking there's more to it than just user passwords we can change.
Please, for the love of God, let this be a message to GGTor and their engineering team. May this be a message of construction rather than demolision.