Reading between the lines, I suspect this wasn't an injection attack of the obvious kind where the application carelessly concatenates untested input. I.e. not "little bobby tables". The article is a little fluffy on the subject but it takes note of a previously unknown "pre-auth" attack. I have no insider knowledge, but I think it was internal SQL engine vulnerability and not careless app-level coding. Well, it's possible either way.