I believe that the "shitty Russian code" that Epik "inherited" was responsible for how poorly the data was being stored, yes. I haven't actually looked into it much, but I think most of Epik's website code was actually included in the leak. I'm not really a security researcher so I wouldn't be able to point out anything interesting, but another Twitter user found at least a couple really horrible flaws, at least one of which still allowed drive-by XSS attacks on the current version of Epik's site(!!!) Epik blocked that person from logging into their bug reporting system, indicating that they still don't give a shit about security. If we give them the benefit of the doubt, we could say they're too busy scrambling to fix things to worry about the bug reports, but instead of spending time blocking a security researcher from doing their job, they should have spent that time fixing their shit.
I know who registered the domain that the Bccs were going to, I will share that information if it's expressly allowed by a mod. As for whether or not it's alarming, in my opinion, it is alarming that Epik was doing this in the first place, but again it was probably due to gross negligence and not some evil plot.