[nnwa]

"After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators."

That translates to password reuse, or an insecure password.

[jessaustin]

...or a client attack, or XSS, or poorly secured tokens, or whatever. If we always blame the user first, we're bound to miss something. Even if the fault were an insecure password, the admin site would still be to blame for not throttling and locking down the account in response to repeated attack.

[nnwa]

Fair point Jess.