Bummer for the company and I wish them well as they navigate the incident response waters. What I found interesting from the article was
If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.
They could have migrated all accounts regardless of whether they came back to the site or not, changed their password or not, etc. Just use:
If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.
They could have migrated all accounts regardless of whether they came back to the site or not, changed their password or not, etc. Just use:
password_hash = bcrypt(sha1(raw_password))