What are the common themes that appear in these types of attacks?

Security trust chains have weak links. In these cases, the attackers do not start off with access to their end goal. They are able to use the fact that each successive level of protection relies on the level below doing its job. Google would never dream of letting a Gmail user login with just their billing address, but in this case that's effectively what was occurring in the above example. There were just a few more steps required in the middle.

Password reset procedures -- why put a lock on the front door if the back door is wide open?

Organisations are often so concerned with reducing the impact to a customer from forgetting their password they sometimes trade away the overall security of the system. Attackers no longer have to attack high-security password algorithms; they just call the friendly customer support line and hand over a partial credit card number.

Collect all the little bits of information you need and then build up to the prize. The attacker's end goals were built up with smaller wins along the way. In most cases these smaller wins yielded treasure that the protecting organisation didn't consider significant. It wasn't until near the end goal that it becomes clear what the true value of all the smaller pieces add up to.