How does one "misconfigure" something that badly? Humans are humans, but come now, with something this sensitive do they not have more than one pair of eyes looking over this stuff?
They probably assume that the software wouldn't let them make such a huge mistake. And arguably it shouldn't. They ought to be a big "MAKE THIS PUBLIC" button. But then, it's not uncommon for clueless folk setting up Tor hidden services to forget that webservers on 127.0.0.1:80 are not restricted to Tor. That's not part of the webserver's job.
There's a thread with the title concerning our eventual over-saturated outrage over leaks, hacks, etc. Isn't this SkyNet's corporate motto?