Unfortunately the hashing was relatively simple, as were the passwords used by both the CEO and COO.
Anonymous cracked passwords for the two used them to log into the company's Google Apps email system and use the CEO's administrator privileges to reset the passwords for all the other users on the system.
That gave them access to all the email, in which they found passwords and other information they used to create an email that looked, in its lack of capitalization and punctuation, shorthand references to servers and login methods, authentic enough to look to the security specialist in charge of HB Gary's most valuable data store to ask him to open a hole in the firewall for them to run through.
ArsTechnica's step-by-step story about the attack includes text of the email chain, which would bore anyone stupid who didn't know it was Anonymous on one end of the request rather than the legitimate user.
At no point does the security specialist who was taken in look either stupid or stupidly trusting. The request and subsequent exchange are more detailed and technical than most password-repair requests from end users, in fact – requests that are fulfilled in their tens of thousands every day by people in IT.
The amount of trouble the Anonymi went to to crack HB Gary is way out of line with what would make sense for most companies.
Most of us rely for our sense of safety on either anonymity or degree of difficulty. We're safe from physical or digital attack (mostly) because we're each one of relatively indistinguishable hundreds of millions online.
We know someone targeting one of us individually could crack us more easily than Anonymous cracked HB Gary, but why go to the trouble?
You and I might not be worth the trouble. Lockheed Martin is. So is each person within it whose combination of online personal data, job description and access to potentially valuable authentication data would make them an attractive potential entry point.
Successful cracks don't depend on millions of generic emails. Ideally they could use just one apiece, directed at just the right person, using just the right amount of corroborating information and context, appearing to come from the right person's email address or other source.
Why wouldn't you help someone like that? Most likely, it's part of your job to do exactly that.
Walk through a couple of spear-phishing exploits and the victims don't look stupid anymore.
In fact, the attackers look smarter, and the rest of us look a lot more vulnerable.