The Onion’s post-mortem of how their Twitter and other internal accounts were hacked. TL;DR - a fairly unsophisticated phishing attack
http://theonion.github.io/blog/2013/05/08/how-the-syrian-electronic-army-hacked-the-onion/
Worth a read: more like spearfishing, as they proceeded to send internal mails from compromised accounts to others, excluding IT. Excluding IT is an effective tactic.