Nullcrew dumped some info from the servers including the wp-config.php which contains the database info and database names. Wp-config.php is a PHP file contained in the WordPress CMS, and is the most sensitive file in a WordPress installation. They announced the hack on Twitter with a Pastebin link containing specifics of the hack.
The sub domain was exploited via a local file inclusion (LFI) which allows the attackers to access files on the victim’s system. This exposure comes about when a page include isn’t properly sanitized, and grants directory traversal characters to be injected.