I suspect a more simple issue assuming DC is hosted. Typical to use hardware called a load balancer between the users and the servers. The appliance moves sessions around between servers. This process is normally seamless. Until an engineer ignorantly changes things on the fly. That is my suspicion.There may be more truth than we'd like in what happened. If I were writing a hack, and mind you I don't do such things, I would sit on the log in que, go from one log in to another, log the one of interest out, log in with their credentials, copy any personal info, log out, then move to the next person logged in.
It should stand as a lesson that any personal info is NEVER secure - unless you keep it in your head and a cyanide pill in your pocket. :embarassed: