David Rogers has a long post on how voicemail accounts were compromised:
A few people have asked me to explain what the whole phone hacking thing means. The first thing to mention is that the phone hacking episode has nothing at all to do with actual 'phone' hacking. It is actually illicit voicemail access. Access can be gained by using some technical knowledge and or tools, but on the whole it is through system and process weaknesses.He also summarizes in a shorter post:
In brief, there are three main mechanisms for illicitly accessing voicemail: firstly social engineering the call centre to reset or change the PIN for you as precursor to one of the following 1) call the remote voicemail number and access it using the default (or acquired PIN), 2) ringing the actual phone, going into the voicemail menu by pressing the * key or 3) using an advanced mechanism to fool the phone into opening up the voicemail. There are some loopholes still existing and as technology evolves new ones will emerge.Finally, Sophos asked him to do an article on how it worked and to protect your voicemail:
This is not 'phone hacking'. It is illicit or illegal access to voicemail.
I’m going to explain a bit about what exactly is behind this, how it works and what you can do to protect yourself from people wanting to access your voicemails.