[lxgr]

Not malicious, but also not exactly purely accidental, i.e. as part of some otherwise totally legitimate activity.

[foota]

I think the accidental part would be in the scope. I'm not an expert on these things, but they could have intended to create a self signed cert only valid within the scope of their IT, but accidentally created one from their CA.