While some speculate that an IIS zero day was used to own the servers, my guess is that the hosting boxes were not patched against a recent vulnerability (something like MS04-11). I would normally say "Hey, you should have been patched" and gone about my business. But this event is a bit different.
A good definition of this term is given by About.Com in Zero-Day Exploits
The Holy Grail for malicious program and virus writers is the �zero-day exploit�. A zero-day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor. By creating a virus or worm that takes advantage of a vulnerability the vendor is not yet aware of and for which there is not currently a patch available the attacker can wreak maximum havoc.