That's a very good question that many others also have when they're learning about the mechanics of a snapshot.
A snapshot is simply a list of every address and associated balance in the network. Right now, the community agrees that snapshots are to be conducted by the IOTA Foundation, but in the future there will be local auto-snapshotting capability for each node.
So when a snapshot is done, whoever is doing the snapshot can type in any numbers they want into any location on the ledger. The community verifies that the ledger is in agreement with the previous state of the network, for the most part. There are some rare situations, like the one recently encountered, when the Foundation is able to use its ability to snapshot (snapshot = issue a new ledger, essentially) to save user's funds. People who accidentally reused an address were unknowingly leaking parts of their private key (this is an feature of the protocol - and this is why it's stressed: Do not receive funds at an address that has already been spent from!), making it easier for attackers to steal that address's balance via brute force. So the Foundation was able to step in and take a snapshot, "re-write" the ledger, have it verified by the community, and save those re-used addresses from being stolen.
This is one of the benefits of the bootstrapping phase in IOTA.
Explanation from @proto
"When a snapshot happens, collectively all fullnodes verify the integrity of the snapshot, with the databases that they all have. A snapshot is only taking the latest state of all of the tangle and not worrying about the rest essentially
--->Permanodes will maintain history of full tangle history.
----->Snapshots keep it lean, and no need for 100s of GB of space to run a fullnode.
--->Literally we refresh IRI using the snapshot, which is the set of all addresses and balances.
--->Technically someone could change a snapshot to have 1000s of Gi to themselves in a new address, but no one would use that because all the nodes would reject it since it doesn't verify integrity wise with our databases historically obviously.
---> Anyone could have replaced all the addresses of people who were re-using keys (which makes themselves vulnerable) to thier own address, but collectively all the nodes decided it was ok to let them move those funds which were At Risk of malicious people stealing them.
-->So those funds from those At Risk people's addresses were moved in safe keeping for them to claim them safely, and use addresses properly.
-->Obviously things like multi-sig are in place, as well as the fact that we all verified and even found some weird things as a collective of node users, to make sure that there is nothing strange going on.
-->If the majority of the people did not agree with it, then we wouldn't have used the Proposed Snapshot. Which is what it is, a Proposal, and we voted by running with that snapshot.
-->I think majority sees it as, we are basically protecting those people who had funds placed outside At Risk address/key re-use. Since they would have kept using addresses improperly, and at some point someone malicious steals from them, and then they cry.
-->This way they now have a wallet which is more user friendly to show these people how to use the addresses properly, rather then let them continue and end up re-using so many times that it becomes significantly more and more at risk.
--> It is a simple process for them to reclaim and use it properly now.
---> In the future this kind of proposal would be totally impossible of course anyways, due to:
--------->All nodes will be automatically and independantly snapshotting, There will be no Global Snapshots.
--->This is essentially the stage where we as a community and movement are literally growing/tinkering/mastering the tangle, to the point that it is *fully production ready*.
--->At these later stages, collectively no one can't help someone who is somehow using something improperly and putting thier own addresses/Funds at risk.
---->By that point the human wallets will be 110% User Friendly, and make it impossible for people to use things improperly.
--->Imagine it like people set up a root account on thier computer with the password ''root:root", obviously a bad idea....TLDR: Snapshots are global events that we all decide to use or not, soon/later, it will be fully automatic and decentrlized, each node doing it's own snapshot.
--->At that point, no one would be able to propose anything, since they will never be global events.
--->It's the nature of how a snapshot works, anyone could propose to use thier own snapshot, and say: give me 50% of everything, but no one is going to agree and continue on with that.
--->We are building up the tangle, improving, fixing, trying to make sure everyone is using things properly, (not everyone realises that some users do not read, or learn how they are supposed to use a tech, so it becomes up with the techy people to make it more user-friendly and make sure that those people are not going to use things improperly so much at risk that they end up losing everything.
-->did I say we do global snapshots right now ?
-->netflix, chill, and re-claim if you were using addresses improperly, now you should know how to use things properly, and no one is going to propose ''lets save peoples at risk stuff because they have no idea what they are doing'', nevermind chose to actually go on with such a proposal. Global snapshots will be soon a thing of the past anyhow."
Hopefully that made some sense. Please ask questions to clarify anything.