How did the FBI compromise Tor users?
The article you link says that the FBI obtained "the MAC address" for the user computers. MAC addresses are specific to each ethernet hardware, and they don't travel beyond the first hop -- meaning that they are visible to your home router, possibly the one provided by the ISP, but not beyond. If that specific piece of information is true, then this means that the FBI really deployed a piece of malware on the site, and the users simply got it on their computer.
After all, the FBI first seized the offending site and ran it, at which point they had full control over its contents. People using Tor to access a child pornography site are not necessarily smarter than average people, and they would intrinsically "trust" that site, making malware deployment possible, even easy.
Tor anonymity relies on the idea that potential attackers (the FBI in that case) cannot control sufficiently many nodes to make correlations possible. However, that "sufficiently many" is not that big a number; if one of your connections, even temporarily, goes through an "entry node" controlled by the attacker, and the same attacker can see what happens on the exit (and he can, if he actually hosts the target site), then correlation is relatively easy (through both timing of requests and size of packets, because encryption does not hide size). With control of the target site, it would be even possible to change the size of individual response packets to help correlation.
However, Tor does nothing against hostile code sent to the user and executed by the user, and if the MAC address was recovered then such code was involved.
The article you posted states how they did it. But the author doesn't seem to be knowledgeable on the subject and it got lost in the article. They didn't crack Tor and more so found a way to collect analytics that didn't go through Tor's network.
First the FBI confiscated the servers running the child porn ring on Tor known as Playpen.
After seizing the computer server running Playpen from a web host in Lenoir, North Carolina, in February 2015, the FBI decided to run the child pornography web site from its own servers in Newington, Virginia, for an additional two weeks between 20 February and 4 March of that year.
They then ran the site with a Flash embed on the page. The Flash application was not hosted via Tor. And connected through traditional means such as HTTP or sockets. When establishing these connections it bypasses Tor completely. The Flash application then collected the information from the user. As far as getting a MAC address I cannot verify the claims. This could either be the FBI blowing smoke or they could of exploited a vulnerability in Flash player to accomplish this. Unlike JavaScript, Flash is not sandboxed and has the potential to gather more information from the machine which has resulted in quite a few CVEs. The FBI has also utilized this method known as a NIT (network investigative technique/toolkit) in the past.
When visitors accessed the website, although their traffic might have been encrypted, a Flash application was secretly installed on the user's computer that quietly sent important data about the user straight to the FBI so that it did not pass through the Tor network at all, according to Motherboard Vice.
Nobody's sure at this point because the details haven't been released. There's a lot of suspicion that this has to do with methods Carnage Melon developed back in late 2014 and executed mid-2015.
https://threatpost.com/judge-confirms-dod-funded-research-to-decloak-tor-users/116464/
There were weaknesses fixed in mid-2015, but there are some weaknesses which are very difficult to protect against (e.g., traffic analysis attacks). It's not so easy to control the majority of the Tor network, so it's not easy to answer "what is the identity of this visitor?", but using these attacks, it was easy to answer "give me a list of some of the IPs communicating with this hidden service".
http://arstechnica.com/security/2015/08/concerns-new-tor-weakness-is-being-exploited-prompt-dark-market-shut-down/
"It also requires the attacker to have previously collected unique network characteristics that can serve as a fingerprint for that particular service."
My understanding is that the July 2015 fix was to address those weaknesses.
Tor is on shaky ground though, this Blackhat talk late 2014 was pulled mysteriously... then things went nuts in 2015:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
"In our analysis, we've discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months."
7:26 of Dec 2015 "state of the onion" goes into some of this:
https://www.youtube.com/watch?v=EXEUE__ap08