Somebody stole a key from a Certificate authority server? Sensationalist? yeah, sounds pretty sensational.
"They only stole junk from my house. So Your stuff is safe, somehow"
Anyway, they Did fact-check - and the company didn't respond. So they reported what appeared to be a significant breach. Then, when the company responded, they reported that too. Which has a name, which is "Responsible Journalism"
Beware of metaphors when trying to understand computer issues. What happened (assuming this is the truth) is that a useless key was left on a public server in a public directory, and it could be downloaded by anybody, at which point it is useless. There is no helpful physical analogue to this situation. Just understand it as it is directly, it's not that complicated.
Your metaphor clouds the issue, it does not bring understanding. "Breaking in" to a computer network doesn't give you access to a "whole house", and what occurred wasn't a break in, there's no part of that metaphor that actually helps you understand the situation.
At best this shows a bit of carelessness, but then, a useless, expired key doesn't necessarily require much care in handling, either. The only damage here is PR, if what the company says is true.
Except the key is apparently worthless, and thus it makes sense nobody was very particular about securing it properly. More like "They only stole the old bicycle I left unlocked in my front yard."
Making sure that the leaked private key matches the CA's public key isn't particularly difficult. This is still poor fact checking - company's response, or lack thereof, notwithstanding.
I don't think it's a good analogy. You have procedures for protecting sensitive data. This was not sensitive data, even if it appeared to be to a naive viewer, so the procedures were not followed. This does not imply anything about the security of sensitive data.
"They only stole junk from my house. So Your stuff is safe, somehow"
Anyway, they Did fact-check - and the company didn't respond. So they reported what appeared to be a significant breach. Then, when the company responded, they reported that too. Which has a name, which is "Responsible Journalism"