That hackers really messed up Sony's shit is indisputable, but how they did it (and also who they were) is still up in the air. A Recode report sheds some light on the former, though; access was apparently gained through a Zero Day vulnerability, a previously unknown hole that could very well have been for sale on the black market.
Zero Day vulnerabilities get their name from the fact that programmers have zero days to fix them before they are used in an attack. By the time a non-hacker finds out about them, everything is already exploding. These kinds of holes are both rare and extremely valuable to the right people, and so they're often traded on the black market, or auctioned off to the highest bidder.
If Sony was in fact breached with a Zero Day, it lends some credence to the FBI's (disputed!) claims that North Korea was behind the breach; random hooligans don't go around buying Zero Days just to stir up a little trouble. On the other hand, documents leaked by hacks have shown over and over and over that Sony Pictures' security was god-awful, so using a Zero Day would have been kind of like using a battering ram to bash in a screen door. And depending on how you look at it, that's either the first thing or the last thing you could expect North Korea to do. [Recode]