Google introduced factory reset protection (FRP) in Android 5.1 to make it impossible to use a stolen device. Ever since then, RootJunky has been finding workarounds for it. Presumably this is all he does, tapping around in the setup menu for hours or days on end until he finds a trick. Google just rolled out the May security patch for Nexus devices, and RootJunky has found a FRP bypass method for it. It's not easy, but it works.
This bypass is more complicated than some of the previous ones. We're talking about a few dozen steps here. Basically, you need to disconnect your WiFi during the initial setup, which can cause the phone to skip the FRP check. Then, you need to actually find a way to add a new account to the device (other than the one it's supposed to be locked to). You can watch the video above for the full process, but it involves downloading an APK to access the account manager and signing in via the browser.
The end result is that you can essentially put any account you want on the device. FRP will still be active when you reset, but you know the password to the account you added. From there, the device is all yours. This is far from an easy hack, but RootJunky claims Google has told him they do not consider this a security risk. That's maybe a little harsh. It's definitely a risk, just not one most phone thieves are going to know about.