That is the more plausible scenario, although it relies on backdoors being present on the site or someone knowing some other vulnerability.  Given how quickly DB was audited, fixed and tested, I wouldn't be surprised if this was the case.