I’ll throw an allegedly in here; Pastebin has a story written by the fellow who hacked Hacking Team about how it was accomplished.
Lessons learned are, again:
- Change default passwords
- Patch your systems
- Log account and network activity – identify suspicious activity
- Secure your backups
- After sending passwords by email delete the email and change the password
- Use two-factor authentication everywhere possible