So what allowed Anonymous to bring HBGary down? A bunch of careless errors and well-known security flaws. Namely:
A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.
This story keeps getting more fascinating.