"The hacker compromised the firm's global email server through an "administrator's account" that, in theory, gave them privileged, unrestricted "access to all areas".
The account required only a single password and did not have "two-step" verification, sources said."