The shift to data theft was even more pronounced as a group of six individuals, under the name of LulzSecurity, went on a hacking spree for 50 days from May to June this year. LulzSec went after various Sony properties to expose the poor security practices still prevalent after the massive PlayStation Network and Sony Online Entertainment breach in April.
In subsequent attacks, LulzSec breached insecure servers at various media and software companies to harvest user names and passwords. The group publicized the information by posting it on Twitter, sharing it on Pastebin or creating torrent files for download.
While it continued to deface Websites (such as PBS.org and the Westboro Baptist Church) and launch DDoS attacks (on sites such as Britain's Serious Organized Crime Agency and the United States Senate), LulzSec was increasingly stealing user data in the name of "lulz," or entertainment. In its press releases publicizing the latest attack, LulzSec regularly chided government and big businesses for failing at basic security.
"What's disturbing is that so many Internet users appear to support LulzSec as it continues to recklessly break the law," said Chester Wisniewski, senior security adviser at Sophos.
The attack methods used by Anonymous and LulzSec "aren't particularly sophisticated," as they are using well-known methods and readily accessible penetration testing tools to find and exploit vulnerabilities, said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. "Yet, they've managed to hit high-profile targets."
"The one good thing coming from these hacktivist attacks is that they highlight the current state of security technology in organizations that are believed to have" the highest level of security, said Anup Ghosh, founder and chief scientist at Invincea.
LulzSec also blurred the line between exposing security issues and malicious activity, as the group came under fire for publicizing the personal information it had stolen after breaching Sony Pictures Entertainment and other targets. The individuals were victimized twice, first by having their accounts compromised and then by having their sensitive data leaked for other malicious parties to steal their identity.
"There are responsible ways to inform a business that its Website is insecure, or that it has not properly protected its data; you don't have to put innocent people at risk," pointed out Wisniewski of Sophos.
LulzSec and Anonymous also encouraged supporters to hack into, steal and publish classified government information from any source. On Twitter, various members claimed the attacks were necessary to expose the alleged lies and illegal activities governments were covering up.