JJ and Peak,
There are ways they can get in without knowing the password, and ways they can keep coming back even after you've changed the pw. If you search these forums on "hacked", you'll find quite a few previous threads started by other people whose sites got hacked. It's a lot of reading; how far you get will depend on how interested you are.
A remote file inclusion (RFI) vulnerability (a weak script that allowed them to inject their own code and "include" a file from a remote site) can allow them to upload a "shell script" into your site and run it. Some of the shell scripts that are used are well written and sophisticated (web search r57, c99), and can have basically the same effect as an .msi installer program. Have you ever watched a commercial program install itself on your computer, listing the dozens or hundreds of files as it installs them?
Once the website is compromised, the hacker can also change permissions on files and folders, install backdoor scripts that give them remote access (no passwords required, and password changes will not keep them out), download any files they want from your site, obtain the files that contain your password hashes (and then subject them to very fast offline pw-cracking methods), and on and on and on...
The fact that your site logs contain a lot of data shouldn't make it impossible to use them as a data source. If you're lucky enough to find their accesses in your FTP log, search your HTTP log for other occurrences of their IP address, especially just before the first FTP access, and going back as much as a month before that. If you find that IP address in your log, and the line looks like GET filename.ext?something=somevalue, then you have an indication that the avenue of entry might have been an RFI attack, and you also know which of your files (filename.ext) to check for weaknesses. That's just one example of the type of detective work that can be done.
Any site that has been hacked, even "just a little bit", should be inspected carefully for non-obvious damage such as backdoor scripts that might be in out of the way places or in new subdirectories you don't know about. "Hoping" isn't a good plan! Do a thorough inspection. Since the links injected by this script are invisible, it appears that this one, like most professional hacks, was intended to go unnoticed.
That having been said, I can't say I have the slightest idea how this particular hack occurred; that's why LP staff are investigating now. But you expressed an interest in the general concepts involved, and so the above are some of them. There are things that you can be doing now that can assist the investigation, rather than leaving it entirely up to LP. You know your sites better than they do and have a greater ability to notice things that don't look right.