They didn't. They scanned the IPv4 address space for servers with directory listing enabled and ".sql" files visible, and happened to find one at Australia's red cross.
And if you're less technically inclined, you can bypass the whole manual scanning of address space, and just look at what Google's already indexed publicly for you:
https://www.google.co.uk/?q=%22index+of%22+.sql