Each device still has its unique DevEUI. The way TTN implemented OTAA in V2 (and hopefully in V3 as well) happens to use the combination of AppEUI and DevEUI to find a device and its application. Still: not good at all to use a non-unique AppEUI for multiple customers, I’d say. Also: it seems some have had problems registering such non-unique AppEUI, but others see no issues, like both described in the link I posted above.
Also, now that the secret AppKey is in the open, I’d say that their security-by-obscurity failed on them, and I’d consider all similar Netvox devices to be compromised. The OTAA Join Request is not encrypted, so anyone can get the DevEUI (and AppEUI, but well, we know that already) from the radio transmission, if one can fool a device into starting a new join. That by itself might be hard to trigger, but the DevEUI won’t be random; it’s just one out of an incremental range of EUI-64 addresses that they purchased, so one could also simply try to guess the DevEUI. A rogue device could then initiate a new join, which the original device is not expecting. After that the original device’s DevAddr and secrets (NwkSKey and AppSKey) that it got during its own join will no longer be accepted by TTN, effectively rendering it useless until it joins again.
Be sure to peel off any stickers that show the DevEUI from the devices…