It seems from the article that security tokens were not unique and being generated with a 20 millisecond granularity, furthermore the security tokens were the only thing required to access files (no username etc).<p>If this is correct then this is astonishingly poor design and this problem was completely predictable and obvious.