That could be true? IIRC, PRISM was less about direct access, and more about abusing every potential method of gaining information.
For example, imagine a Login page that said, "Password incorrect," versus "User does not exist." If you have "User does not exist," you could use that to figure out whether a given email address has an account with a service. That could be useful information to PRISM when looking for a target to subpoena or monitor. (This is also why it's now best practice to just say "Login incorrect" or something vague that doesn't say whether the username, or the password, was wrong.)
It goes further than just the error message. I think the original exploit was based on how quickly Unix would fail to login. (Bad user failed faster than bad password) and that allowed you to enumerate the user names.
It was not mentioned in the leaked documents that the Guardian published. Instead, it said that the data came "directly from" the tech companies (who responded to wiretap requests on specific accounts). Greenwald couldn't be bothered to understand what the documents said and hallucinated the phrase "direct access" like a low capacity language model, but we on HN are functionally literate.
For example, imagine a Login page that said, "Password incorrect," versus "User does not exist." If you have "User does not exist," you could use that to figure out whether a given email address has an account with a service. That could be useful information to PRISM when looking for a target to subpoena or monitor. (This is also why it's now best practice to just say "Login incorrect" or something vague that doesn't say whether the username, or the password, was wrong.)
Though, I could be wrong, I'd love more info.