You have probably got it in one.
Looks like an incorrect link was sent out to the player, which instead of linking them to their OWN account, linked them through to the casino administration panel
The link posted (without the /XXXXXXX) simply requires the administrator to log in, clearly hackable, since a good deal of the legwork has been done by giving out the route to this page on the server (a sequence of 20 random letters). I presume that, given an appropriate value for the following /XXXXXX, the link will automatically log into the casino admin area.
It seems that sodax is saying that the original link DID INDEED have a value for "/XXXXXXX" that logged straight into the admin area.
When sodax tried to make the support staff aware, they simply assumed this was a threat (blackmail - whatever), and reacted by not cooperating with this attempt to assist, but rather brought on a confrontation. The accusation that sodax was attempting to obtain "personal information", seems to be derived from their view that sodax had actually hacked the server, and had sent the resulting spreadsheet not as evidence of the bug, but as a statement of "threat", such as "do this for me, or this information might be misused.)
I would hope that all administrator username and password details were immediately changed as soon as they were aware of this breach, but they should also ensure that they are sufficiently secure such that a cracking script attached to this page could not grant easy access.
As well as personal details of players, this admin area will probably contain access to the operator "tweaks" to payout tables and slot percentages.
Strictly speaking, the login area should not be shown to an IP outside of the range used by apropriate employees. Most websites would simply show "access denied", rather than allow use of the secure page.
It may be that the admin page is on the same server as the players use to log into their OWN accounts, and thus cannot be blocked by IP.
The fact that sodax originally got in through the link in the E-mail about the withdrawal means this is a pretty serious issue, as the same mistake could well be made in E-mails to other players, they may even just try to log into their player account without really reading the fact this is "administrator", not player, login.
The large number of E-mails exchanged between sodax and support simply ensured this issue was looked upon as "oh no, not again!", rather than being properly addressed. This just ensured sodax got the impression they just did not care about the potential security issue, and just wanted sodax to "go away and forget about it" - sodax could not do this until an assurance had been received that management had checked for, and closed, any security issues.
I rather get the impression this is an RTG problem, not just this one casino, and is how the RTG software comes when supplied. At the very least, the page should have been reallocated such that it could no longer be reached by the original 20 letter coded link.
I expect there are MANY RTG casinos where this happening would be treated with enthusiasm by disaffected players, but fortunately InetBet is not one of them. Disaffected players are probably thinking along the lines of "does this glitch exist at CoolCat".
I had not thought that one of the major brands would allow administrative access over the internet with just the protection of two simple codes (user & password). I get the impression that such functions at brands such as Microgaming are performed locally at the offices of the operators by secure links (I could be wrong, operators please do NOT clarify if this is the case, just check it really is secure!).
It might be an idea to have Bryan look at all these E-mails that lead to this parting of ways, mainly to see how this developed into a mud-slinging match when sodax tried to report this one security concern. (Or was it already a mud-slinging match BEFORE this particular issue became the "last straw" for support).