Best guess for initial break-in is phishing. I've always thought there should be a "sudo" light/display on the monitor that can only be accessed by the superuser, making attackers unable to completely mimic a dialog requesting secure access.