The Syrian Electronic Army's attack against The Washington Post succeeded because of a vulnerability in Outbrain, a third-party content recommendation service. Outbrain works by embedding a widget on websites filled with sponsored links, and it seems as though once the SEA had hacked Outbrain, that gave them access to redirect readers on certain pages to SEA-controlled sites.
The SEA says its attack on Outbrain also allowed it to compromise the websites of Time and CNN:
The Post's engineers have confirmed that Outbrain was the source of the vulnerability. Outbrain has also confirmed that its systems have been attacked, presumably a reference to the SEA.
Update: An Outbrain spokesperson wrote in with the following statement:
We are aware that Outbrain was hacked earlier today. In an effort to protect our publishers and readers, we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it's safe to turn it back on securely. We are working hard to prevent future attacks of this nature.