Someone with FTP access to your site (you or your developers) has a virus on their workstations. This virus has installed a keylogger that is stealing credentials from your FTP client and sending this information back to the hacker.
The hacker collects hundreds of such credentials and then uses a program to log into each server, [...]

These compromises aren’t really “compromises” at all — the attacker already has a user/pass to log into the system. The password is often gained illegitimately through a rootkit on the end-user’s computer, sniffing authentication credentials without the user’s knowledge, or through phishing scams. With such access, it’s simple for the attacker to launch [...]