The hackers got Honan's residential address from whois records for a personal domain he had registered. The last four digits of the credit card were obtained through Amazon. The technique involves first contacting Amazon as Honan saying you wish to add a credit card to an Amazon account; at this point bogus generated credit card details were given and the hackers then hung up.
They then called Amazon again, this time saying they were locked out of their account and needed to add a new email address to the account, presenting the newly added bogus credit card details as identification verification. This gave the attackers access to the Amazon account, but as Amazon users know the site does not show full credit card numbers, only the last four digits. It was those last four digits that Apple customer service use to verify the identity of an iCloud user and so, using this, they took over the account.
