I understand fully the difference, and I appreciate it myself. I'm perfectly willing to say to someone who uses "123abc" for their bank password, when their money is stolen, "Well, that's hardly a surprise--you should have expected that to happen." while also fully believing that the person who stole the money belongs in prison every bit as much as the guy who breaks into an unoccupied house to loot the place.
But I see a difference between noting that bad things happen when you use weak passwords and what seems to me to be the victim blaming happening in this incident, which is the attitude that they deserved it because of their lack of security. That attitude implicitly absolves the criminal of blame, and further it's particularly bad when the crime isn't a simple theft or getting your computer infected by a virus but something irrevocable and private like getting photographs of your naked body stolen and shared among random strangers.
To me it gets into the same territory as telling someone not to walk around alone at night in a bad neighborhood and saying "It's her fault that she got raped for walking home from that party alone." The former is unfortunately good advice, but it does not then make it the victim's fault when something that should never happen does.
I think in deeper terms this gets at a moral issue, initially started by the hacker subculture decades ago, that many tech-heads have developed that "if you can, it's okay". That is, that if a system is poorly protected, it's the sysop's fault for not locking the doors better when an enterprising hacker figures out how to get in, and whatever happens at that point is fair game. It treats electronic breakins as an abstract; there is this chunk of data that's locked up, and if a clever person knows how to bypass those locks, they get the benefit of mucking around with it--defacing a homepage, sharing secrets, using services for free, etc. It hand-waves away that there are real-world impacts of an electronic break-in--labor to fix things, loss of income, stolen money or identities, deep violations of privacy--and that the people doing so are, more often than not today, just another sort of criminal who prefers to work from a living room or basement instead of with a crowbar and lockpick.
In the physical world, we expect banks to have vaults and security cameras and silent alarms and armed guards because they hold very valuable things, but we still consider bank robberies terrible crimes and rarely if ever fault the bank when one is attempted or pulled off. Similarly, private citizens take basic precautions--lock their doors and windows, maybe leave a light on or put up a fence--but when someone picks a lock or breaks a window to rob the house, no one says "Well, it's their fault for not putting in steel bars and an alarm system." We just say "That's terrible, I hope they catch the guy." If someone gets robbed because they forgot to lock their front door, or left a window open, most people likely say the same thing.
It seems to me that the digital world should be treated similarly--reasonable levels of security are, of course, advisable and should be practiced. And places that have very important things--banks, large businesses with a lot of credit card and private data--should have very stringent security in place to protect that stuff. But crimes committed there are still crimes, and should be treated and viewed as such by society, instead of as somehow different.
Of course, online is also a place where people can and do regularly make violent threats, say horribly racist and misogynistic comments, and spew vitriol in a comment thread that one would never consider face to face because it would get you either arrested or punched in the face.
