IIRC their system with Bitfinex was a 2-of-3 key setup, with BitGo holding one key and Bitfinex, for some reason, holding two. At least that's what's stuck in my memory from Bitfinex/BitGo communications at the time, since the setup seemed to negate the point of using BotGo in the first place.
Edit: I should've clicked the link there, it says pretty much the same. It doesn't seem to me there was much left to explain - the attacker gained access to Bitfinex's keys and that was enough to withdraw. The idea of using BitGo was that a compromise of Bitfinex couldn't lead to loss of user funds, but Bitfinex holding two keys completely undermined that goal.
