I guess my use of the word hacker was a little premature. I also saw how the urls were constructed, and tried replacing the id's just for grins for a couple of other caches. It didn't work, as others pointed out. It wasn't a "backdoor" - it was a goof on the part of the site admin. Since I hadn't seen such a (simple) trick work, I assumed the "hacker" might have gotten into the database server. Not all that unreasonable, since if they're using Active Server Pages (.asp), then they're using Microsoft IIS. And so it's not a far leap to assume they're using SQL Server. And, there have been a number of holes plugged recently with that product. I figured someone used one of the vulnerabilities to get it.
Alas, none of that is true, apparently. Just some fat-fingering on the part of the website admins.