Sounds like they probably used social engineering to get initial password(s) and thanks to poor security practices used those to go from there? Not to sound malicious or impersonal, but breaking something so wide open is like a solving a hard puzzle, I'd be really interested to hear more details on how they actually did it.
