Keith Ng at the Herald has a good summary of what's known and where we're at.
"MMH has confirmed that only a single stolen user account was used in the attack. Posing as a normal user, the hackers were able to trick the application interface into providing the files for 127,000 other users. The control mechanisms meant to stop one user from accessing other users’ files had failed, or did not exist."
It sounds like they accessed one person's files, then trimmed the URL to move up a directory or two where they found paydirt.
So less of a hack, more of a problem with poor or non-existent security.
