Freedom Hosting II got hacked via improper permissions on a hosting panel related config file. These guys business is hosting tor sites. The hackers claim that there was tons and tons of sketchy stuff being hosted.
Anyway symlinks don't change what user you are, so the first part is just how they got loose on the filesystem. They could have uploaded a copy of c99 shell just as easily. The real problem is the ~fhosting/www/_lbs/config.php file, which EVERYONE who does webhosting knows to be careful with, was readable either by the Apache user or by the user for the new site. In this case it was probably the apache user, which is why they used mod_autoindex insetad of a php shell which generally (depending on hosting configuration) would run as the username that they received with the website. Most cpanel like shells have parts that run as root so resetting the password isn't that big of a deal.... but what was "user" doing in suders? Anyway in all probably not a huge deal, just laziness from FH II.