I have freelanced in web development for many years. It is probably not your developer. It looks like you hired an agency and unless they are planning to close shop the risk of a client calling them out as a hacker would collapse their reputation and future business. But it's possible, I am not denying that. But low in probability.
If you are using something like wordpress, it's possible that they used a plugin which has a known security issue and someone targets all websites which have that plugin. Another possibility is your web host. One thing I would check is if other websites on the same host (through shared IP, if you are on shared) are also hacked.
In either case, your developers most certainly shouldn't have blamed you. If a developer builds a site, he is responsible for it's security. There are some basic security things needed to be taken care of which reduce the chance of your site getting hacked to minimal. If you are on a shared host, move to a VPS. Use a server firewall, implement access logs for all users etc.
If you are using something like wordpress, it's possible that they used a plugin which has a known security issue and someone targets all websites which have that plugin. Another possibility is your web host. One thing I would check is if other websites on the same host (through shared IP, if you are on shared) are also hacked.
In either case, your developers most certainly shouldn't have blamed you. If a developer builds a site, he is responsible for it's security. There are some basic security things needed to be taken care of which reduce the chance of your site getting hacked to minimal. If you are on a shared host, move to a VPS. Use a server firewall, implement access logs for all users etc.