How hard is to hack a website? It depends on the website and how you've set it up. There are thousands of variables.
What is the secrete or secretes that they have to know in order to do this?
The LimeLM web API key is the secret. It's like the username/password for your account. Don't share it, don't post it to a public repository, and don't embed it into your application. Only use it in places where you know the customer won't have access to executable code. That is, use it for its intended purpose -- on your website in code that is executed on the servers (not from javascript that runs on a page).