There are so many reasons that this story is so alarming, and one of them is that because the software delivery network is proprietary, it would have been illegal for the researchers to actually break in to confirm their suspicions: https://u.fsf.org/2na