My previous hosting company forgot to shut down apache while upgrading PHP. Many sources were downloaded. So, they have cleared logs and told me, that "somebody has hacked into my account and installed (FTP only, no SSH at that moment) illegal IRC stuff, that's why .php files has been downloaded instead of executed"
Sometimes on shared hosting, if you know the account name, it is possible to read/write files in other accounts. For example, create a script, which reads well known open source product config file and prints configuration data.
Of course, good server admin can fix permissions.
And the last thing, I am developer of web applications and from my experience I can say that this can cause many troubles, because many people use the same passwords for database/ftp/mail etc. That's why I don't like cpanel system. The user is forced to use the same password for FTP/SSH and Cpanel. (Buy a notebook to keep your passwords. Never use the same password on the Internet.)