You need to define this in your terms of service. The problem from a client's perspective could be that there is a weakness in the security of the site, which you the developer are responsible for creating, and therefore are responsible for securing. The technicalities of what happened or who is responsible (host or developer) may not be an argument you can win.
For example it could be that a simple form was the entry point because you did not put in place any SQL injection prevention steps.
Any developer worth their salt would point to this being a developer's error. Any host with experience might also point to the developer, and they'd be right.
My question to you is "can you figure out what was hacked, and how?" and if you can, then plug the leak quick and pray they don't take you to court over it.
For example it could be that a simple form was the entry point because you did not put in place any SQL injection prevention steps.
Any developer worth their salt would point to this being a developer's error. Any host with experience might also point to the developer, and they'd be right.
My question to you is "can you figure out what was hacked, and how?" and if you can, then plug the leak quick and pray they don't take you to court over it.