The current updated FAQ from CIMB suggests that special characters were allowed in the past, just not mandatory.
The JS implementation also allows for special characters to be submitted if it was less than 8 characters.

The first article was taking the assumptions of how the old system used to work.
The second article reflects a more accurate situation due to the currently given evidence.

So far we cannot find good evidence that special characters were not allowed during the 8 character era. Everything else points to it being allowed back then.
Regarding the 8 characters thing you mentioned earlier, in the past, the characters were fixed to 8 characters maximum and minimum.
There was never > 8 characters in the past because it does not exist due to the old password policy being fixed at 8 characters.
The JS logic representing the old policy is the one that is saying "less than 8" as a criterion.



All that said, the conclusion is that security was never compromised or hacked due to the new mechanisms for CIMB Clicks as some articles are suggesting in their clickbait headlines