I though it was a joke, boy was I wrong :(

I'm spitballing here, but I think they somehow injected code (cross site scripting?), and gained db server password, then remotely logged into the DB.

Man this sucks :(