Re: "how hard can it be..."
Given that the login is already obfuscated by accepting random characters in place of the full string, I can fully imagine this being a separate locked-down system that just passes an authenticated pass/fail flag back to the 'main' server.
Agree that PR need stringing out for such a blatant attempt for a cover-up.
"I saw the problem myself"
"No you didn't"