Wordfence notified the company on September 28th and OptinMonster released a patch the following day. However, additional work was needed on the patch. The fully patched version was released on October 7th as 2.6.5. The most up-to-date version available as of writing this article is 2.6.6.
The majority of the problem was that the REST-API endpoints were implemented insecurely which made it possible for unauthenticated users to access them. One of these endpoints disclosed sensitive data such as the full site path on the server and API keys needed to make requests to the OptinMonster website.
For additional details on how the vulnerabilities could be exploited, read their findings and make sure OptinMonster is updated to at least 2.6.5