An AOL spokesman claims that "We have already taken security measures to prevent this from happening again. . . ." Those measures might involve whipping and beating AOL Customer Service reps, since the hackers' ploy depended on some... unwise choices by those reps.
The hackers gained access by e-mailing a Trojan horse program to the AOL employees. The hackers seem to have specifically targeted those employees who had access to AOL's subscriber database. Those reps who ran the program opened up their systems to the hackers, which in turn (theoretically at least) opened up AOL's Customer Relations Information System. Among other things, the CRIS contains credit card data.
AOL has admitted that at least 500 screen names (user accounts) seem to have been hacked, and they also admit that credit card data may have been compromised in the attack. The Washington Post apparently found at least one person who confirmed that their credit card data had been stolen.
At some level, AOL should be proud; you know you've hit the big time when hackers write a Trojan horse program specifically for your company. Of course, I doubt that AOL sees it that way...