It's a fr*!kin waste of time when hackers do this (understatement) and I can imagine how annoyed you were.
There are a few points I'd add in here IMO too:
- upgrading to 6.5 won't close security issues. as you pointed out, the (cre) cart itself is built on old code which isn't being maintained regularly. (cre) loaded has always been about jamming as many features into a cart as possible. whether they all work together or whether they create security loopholes, is a 'next release' concern.
- an equally as large risk is from some pretty weak security habits of the cart owners (not referring to the OP specifically) but the number of carts that are still running very old versions and /admin folders with passwords that never get changed, version/patch info on display, no use of htaccess files, running upload directories with no filtering, redundant admin accounts ...
- if you do get hacked and the server is never fully wiped / rebuilt, you really haven't fixed things for the next install so will be vulnerable to getting done again. this of course is difficult to do on a hosted server ... so time to change hosts maybe
- whether you store payment information or not, customer information (email address, mailing addresses, order history) is of value ... and none of your customers will thank you for getting it passed on to a hacker in this age of ID fraud
- (cre) loaded seems now to be a payment gateway first and cart supplier a distant second. there doesn't seem to be any evidence of ongoing development, patch releases or community tracker.
- there isn't a cart around that is unhackable (just more frequently updated code) and if your admin is getting news feeds from the cart builders, you're vulnerable too (as per this last year when prestashop.com got hacked itself