Note: this is not the same attack as http://news.ycombinator.com/item?id=2050229

In this case, they found a vulnerability in the signature scheme which allowed them to recover a compatible private key. Their signatures are as valid as Sony's own.

Nate Lawson also has a great post on how this can happen, although it's not specific to this case: http://rdist.root.org/2010/11/19/dsa-requirements-for-random...