![May contain highly technical content requiring degree-level education or above Boffin](/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/icons/comment/boffin_48.png)
Not necessarily untrue
In my last job at a hosting company, this is actually largely true. There were a lot of duplicate passwords, many of them having slight changes depending on the server, and a few key 'master' passwords.
When you have logins for the billing system, inventory/management, key authentication (for control panels etc.), KVM/IPs, and more, what are you going to do? Make obtusely different passwords for each section? And then do what, have a master password sheet you pass around? Nah, make it easy for the employees. It sounds insecure as hell, and it really is, and even as the most security-anal person there, I understood just why. Some of my coworkers used password vaults for easy access.
While I'm not familiar with how HyperVM manages file systems for virtualized containers, I know that in Virtuozzo it's very easy to fuck with a VPS from the hardware node itself -- just go into /vz/private and have fun. You can just nuke /vz and you've destroyed the files for every VPS in there except the config files (stored in /etc/vz/conf).
Billing system as well...most hosting companies, aside from small ones or immensely huge (ie, GoDaddy) ones use standardized billing platforms like WHMCS or billing software provided by their control panel provider (Plesk Billing, ClientExec, etc.). So as long as you know the database structure (and most use something similar), you can get in there and harvest away by dumping tables to an external file then using a few basic commands to make the output into an easily-readable file.
I still have no doubt that these are script kiddies, their behavior and actions speak volumes of it. But the attack itself sounds highly probable.