It seems from the article that security tokens were not unique and being generated with a 20 millisecond granularity, furthermore the security tokens were the only thing required to access files (no username etc).

If this is correct then this is astonishingly poor design and this problem was completely predictable and obvious.