Cybersecurity firm Pandora says that the hacks were the result of an “SMSC spoofing attack.”