All of that might have been encrypted, i.e. locked. Otherwise, I don't know what that means.
From the announcement it seems like the attacker had shell access on the machine. If the LN node was online at the time, the macaroon probably had to be available unencrypted either on disk or in memory.
On the other hand, if the LN node was shut down for some reason, then the keys to open the wallet could have been encrypted. Or if the machine was restarted for any reason, then e.g. disk encryption could have stopped the attacker.
reply