It sounds like they realized the API was improperly exposed on 9/17/2014, but didn't necessary know if it had ever been accessed by an unauthorized request.
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.