This is also true of all Ford's I've come across between 1997 and 2009 - use the key and the alarm will go off, because who uses a key these days?
Incidentally, there's no law (in the UK at least) about having a visible VIN number. There are plenty of websites that will translate a registration plate into a VIN though - no logins needed, publicly accessible.
Anyway, my big problem here is the headline. They didn't hack anything - they used a stolen password (not hacking) to make a key through the correct channels (not hacking) and unlock a car (and if that's hacking, lock everyone up). Theft yes, but at most you could collar them for unauthorised use of a computer system.