Mossack Fonseca's 'client portal' (the part where all the information the world is interested in was uploaded) is running on a version of Drupal (7.23) that they haven't updated in over 3 years. We're now on version 7.43.
There was a MASSIVE deal when 7.32 came out as it patched a very serious security hole. If you're site wasn't patched within 7 hours, you could consider it hacked. We had all ours patched within 45 minutes.
Not keeping your website's security update patches applied will get you in trouble.
They still haven't updated their website, so if you wanted to hack them again, you could simply use one of these scripts: https://github.com/…/drupalg…/blob/master/attack/exploit.php
(P.S. I am NOT suggesting anyone should hack them - just illustrating how easy it is - be careful when you trust your sensitive information to others.)
If you're anyway interested, the theme to power their portal cost a whopping $48.
And it seems their server is running on PHP 5.2, which reached end of life over 5 years ago.