Wired reports that the method Nicolas Jacobsen used to gain access to T-Mobile accounts was through a known hole in their WebLogic server – for which BEA had a patch available.
This however didn’t make Jacobsen a ‘script kiddie’ – he ended up writing his own custom interface to their customer database.
Another good example of the need to keep those systems patched!