Why only subject lines? If the attackers could get access to subject lines, why couldn't they access entire e-mails? Apparently because the hackers infiltrated automated systems set up to provide such information to law enforcement in the US and elsewhere. (Getting access to the contents of e-mail messages is harder under US law than getting access to addresses, subject lines, etc, which are considered to be on the "outside of the envelope" and subject to pen register searches).
According to a Macworld source, "Right before Christmas, it was, 'Holy s—, this malware is accessing the internal intercept [systems].'" Later, Google cofounder Larry Page supervised a Christmas Eve meeting on the security breach.
Fun fact: Google's security team managed to penetrate one of the servers being used by the attackers, which was how the full extent of the attack—more than 30 companies—was revealed.
According to a summary from Ars Technica:
1) It's interesting/worrying that Google has systems set up to provide governments with access to email meta-data. I hope they only provide access if there is a warrant and not just dumps of all traffic.
2) The bit about Google's security team managing to access the servers used by the attackers seems to carry with it the implication that because they had this access, Google is pretty sure that it was the Chinese government who ran the attacks and not some other hacker group working from / using PCs in China.
This situation seems like its not going to end with good relations between Google and China. I wonder how this might affect other US net based companies looking to / currently operating in China?