The domain hijacking incident appears to have followed the age-old path of an attacker pouncing on a compromised account and swiping the domain rather than a simple expiration.