In the last several months there have been several publicized data breaches and public website defacements done by several different hacking groups (which the media loves to group under a single domain - "anonymous") most recently some attacks on BART and affiliated organizations following a controversial move by the transit agency.
Its conceivable that some public facing websites (effectively billboards) aren't well secured (like the CIA "hack" a two months ago) allowing someone with some blackhat experience to be able to get in and mess with and deface the website (as well as release some inconsequential details about the FS organization and other stuff). However, every once in a while they release some more private details, like plain-text lists of usernames-passwords from various database servers that were in the attack.
What I'm confused is how they get such a large list of passwords. Are these servers so badly configured that passwords for web-services are stored plain-text? Is "anonymous" brute forcing some hash-list and releasing the low-hanging password fruit (this skews the number of passwords that look simplistic)? Are they setting up base on the hacked servers and logging all the passwords?
It seems a little unnerving to me that web services associated with legitimate organizations would be storing password information in such a way that it is easily retrievable to anyone with some hacking scripts.