Out of curiosity, how could one program something to access the DB without storing the password somewhere on the server? That seems to be the main weakness they are discussing, but it doesn't seem to be easy to store the password on the server without a trivial way to exploit it.
Awesome, this never occurred to me. Even though it was a very simply hack, you've got to applaud the hackers for thinking outside the box in the first place and going "Hrmm... I wonder if anyone has left their wordpress config as 755? And how can I use that to my advantage?"
The attack was very simple, basically scanned all sites hosted there for wp-config.php with the wrong permissions. If it found, got the db information and modified it.