But the most fascinating detail is buried in the 25th paragraph: "[Investigators] suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments." What these hackers did, in other words, was a finely tailored version of this:

The New York Times was the target of a months-long hacking campaign , originating in China, according to the paper. Its report gives a tick-tock account of what happened: The Chinese government warned that a Times investigation of its prime minister's relatives would "have consequences"; AT&T warned the Times about suspicious network activity; the company, with a security contracter, helped track the hackers as they "moved around [the Times' ] systems."

It's handy reminder, just two months after the director of the CIA was felled by lazily hidden Gmail exchanges, that in 2013, "hacking" is as much about people as it is about code.

This wasn't a control room full of masked marauders launching software attacks against a major computer network; it was a group of hackers trying to social-engineer their way into newspaper employees' inboxes. The Times was hacked only after its employees were tricked — its biggest vulnerability, like any other large organization's, wasn't in its software or infrastructure, but in its humans.

A New York Times spear-phishing email could have masqueraded as an internal document, an update to a health-care plan, or a message from the payroll department. Phishing attacks are effective when they're targeted poorly; when a user's name and personal information is incorporated, they're the most powerful tool a hacker could wish for.

It follows that the only way to prevent something like this from happening again is to fix the human factor. In an internal email sent by Arthur Sulzberger Jr. and Mark Thompson, employees were told to to "stay aware and attentive," to "keep your personal information personal," and to "be aware of what you post online."

"The more information you provide," the email reads, "the easier you make it for someone to impersonate you or to steal your identity." Times spokesperson Eileen Murphy adds that Times employees were asked to change their passwords, which is echoed in the memo: "You may recall that within the last few weeks you were asked to change your log-in password." That, it turns out, was while the hack was still developing.

The full memo to employees is below: