LulzSec, the hacker group who have claimed responsibility for many of the high profile attacks on gaming companies, publishers, and even the CIA, have declared their work is done, their time is up, and they’re off. Apparently it was always intended to be a 50 day voyage aboard their Lulzboat, and it has come to an end. They believe they have revitalised the Antisec Movement, and entertained themselves along the way. Which they claim, albeit in hindsight, was always their goal. But whatever their reasons, their goodbye comes with perhaps their biggest release of data yet. It’s going to be messy. This one contains 550,000 Battlefield Heroes Beta users’ details, and the details of 50,000 users from “random gaming forums”.

You can see the full list of what’s released in this farewell below, but the ones to worry about are if you’re registered on the Battlefield Heroes beta, registered to Hackforums.net, or one of the 50,000 who have been picked up from whichever gaming forums they went after. If you’re worried, just reset your passwords immediately, and if you’ve been so daft as to use the same password elsewhere, for goodness sake go change them anywhere important.

The claim of always being motivated by AntiSec and with a 50 day plan seems a little dubious, since they gave no hints that their reign of error would be so finite. Rather the loudest aspect of their legacy became DDOS attacks on various minor and major sites, which led to a lot of other groups questioning their abilities. The response of releasing 62,000 unsourced email addresses and their accompanying passwords was certainly an evocative one. While clearly adept – they’ve released internal data from Sony, Arizona government, Nintendo, and so on – the reputation was muddied by taking down easy targets such as indie developers, such as Mojang’s Minecraft. It’s arguable that their full list of releases will not be what they’re remembered for.

However, what they certainly managed to do was create lulz for themselves along the way. Which is of course the same as saying they succeeded in upsetting and pissing off a huge number of people over the last month and a half. And while it’s tempting to categorise them as either griefer anarchists, or amoral crusaders, they fell neatly into neither camp. Instead their actions were more true to the lulz-seekers than most analysts and victims ever get to grips with. They just entertained themselves, whether that was by upsetting a group of gamers on a forum, or by making political statements. Not a form of entertainment the majority can identify with, or perhaps even understand, but one that meant no fixed ideology was driving them beyond seeing what was next.

There is a hint of purpose in their closing statements – one I suspect they’d not have been able to claim as their eventual goal when they started, but who knows,

“Behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.”

Understanding AntiSec can be about as confusing as getting your head around the mindset of the hackers. It is, essentially, the campaign to prevent the publication of security vulnerabilities online. It may seem a strange position, but it is the belief of this movement that such vulnerabilities are made public by those who profit from preventing the attacks. Anti-virus and internet security firms, they claim, ensure the spread of such internet weaknesses via “full-disclosure”, which then allows anyone to exploit them, and thus give greater cause for people to pay for the services of those who can stop them. And their solution? Mayhem. They believe that by raising hell, and seeking to destroy those who partake, they can force a change in the way the industry works. Whether conspiracy theory, excuse for pissing people off, or noble cause, it’s this that LulzSec claim to have been raising awareness for.

It’s hard to see quite how their targets match those of the AntiSec plan. Rather than going for those who publish exploits, they went for anyone who annoyed them. It’s certainly arguable – and they themselves occasionally alluded toward it – that taking down gaming sites makes it very clear how poorly protected the majority of online services are. While it may make no sense to many why it is worth publishing Bethesda’s internal documents, or the user database of Pron.com, it certainly has made a huge audience of people aware that their personal information is not secure. I know I’ve realised I should strengthen a couple of passwords here and there.

Of course, one could equally argue that raising awareness of the vulnerability of online information has quite the opposite effect of the AntiSec agenda, making people more fearful of security, and more likely to go to the firms who claim they can improve it. And when LulzSec’s first famous attack (although their fifth release) was the defacement of the PBS website, after LulzSec suggested they were annoyed by the American publicly funded station’s report on the Wikileaks saga, it’s hard to follow any logical trend regarding these latterly claimed motivations.

Their final statement comes with a final release, and it’s not a happy one for many. It contains the following:

booty/AOL internal data.txt 63.6 KiB

booty/AT&T internal data.rar 314.59 MiB

booty/Battlefield Heroes Beta (550k users).csv 24.67 MiB

booty/FBI being silly.txt 3.82 KiB

booty/Hackforums.net (200k users).sql 111.2 MiB

booty/Nato-bookshop.org (12k users).csv 941.8 KiB

booty/Office networks of corporations.txt 3.87 KiB

booty/Private Investigator Emails.txt 2.52 KiB

booty/Random gaming forums (50k users).txt 6.08 MiB

booty/Silly routers.txt 67.7 KiB

booty/navy.mil owned.png

Clearly AT&T and AOL are going to be spitting. I’m guessing that the Private Investigator firm they’ve released all the usernames and passwords for is one that was going after them. There’s a dig at the FBI, a worrying list of vulnerable routers with unset passwords, and goodness knows what NATO Bookshop did to have them release twelve thousand user details. (The NATO Bookshop site currently redirects to the NATO front page.)

But users of Battlefield Heroes and literally hundreds of thousands of other forum users are now in danger of having other accounts using the same or similar passwords hacked. Which is utterly horrible for them. It’s the point at which LulzSec lose any understanding.

It’s such a confused collection, at once in tune with AntiSec, exposing Hackforums, etc, and then at the same time letting people know what’s vulnerable out there, and encouraging others to attempt to hack people’s various accounts. But then I’m making the same mistake I explained above – trying to fathom it, when their central purpose is lulz.

But with that, they claim, they’re done. Lots of people hurt along the way. Lots of companies aware quite how vulnerable they are. Lots others frantically trying to fix their own weaknesses. Some entertained by it all. So very many people are devastated by their personal details being exposed for no understandable reason. The mistake almost everyone from every category makes is trying to explain it.

Here’s their closing statement – and no matter what you may think of them, their actions, or the consequences of their actions, those hackers can write.