Yes, they should have fixed it when they knew about the problem. As far as the guy with the PayPal it’s his own fault for using the same login and password on the same sites.
I have seperate logins for like regular use and then I have very strong login and password for my PayPal bank etc, nothing like what I use for regular website browsing.
What most people do know about nettuts+ is that all of their sites use the same login and password.
So it makes you wonder how they can say that only nettuts+ was hacked.
I’ll bet that they were using the same third party plugin for all their sites because they all use the same login and password.