Reportedly, the attack wasn't difficult. The hacker only needed to have control over a site (new or existing) to get started. After that, it was mostly a matter of modifying a configuration file, triggering a password reset and getting root access.

From early indications, the perpetrator is handling the data relatively responsibly. It's going to a security researcher who'll hand it over to law enforcement, which might just use it to bust the porn peddlers. Investigators may be as frustrated as they are happy, though. When the FBI infiltrated Dark Web porn sites, it used location-tracking malware to help identify individual users. Well, it probably can't do that now -- investigators might pinpoint the site operators, but the clients will have scattered to the four winds. While this is still a blow to the internet's criminal underbelly, it's not as big a victory as it could have been.