> How? Don't the attackers have to know the password hashing algorithm to > do that? If they have enough penetration into the system to know that, > couldn't they just capture the passwords when they were unhashed? > i.e. could it have been that they let paypal know they had been > compromised, so that a program they left on paypal's systems could > report the unhashed passwords when paypal told their users to reset > their passwords? I don't know how it was done, but I'm pretty sure they grabbed the password hashes, not the plaintext passwords. If the hashes weren't salted, they could have just used a standard lookup table. It seemed to be a fairly sophisticated attack. When my PayPal account was accessed, my email account was DoS'd by sending thousands of garbage emails to it every hour, to prevent me from reading PayPal's email notifications associated with account activity. It wasn't until later in the day that I discovered independently what had happened, and realized why my email was being DoS'd. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
