I suspect your on the right lines: but from the XSSExploits tweets I imagine that what they might well have done is ecxecute some JS to add a new authorised phone number to the list (i.e. by just posting the new details).

That said they say they also needed a strongwebmail account for it to work so I could be wrong - perhaps they just hijacked their authed session ID into the ceo's (possibly??)