Dear ...while I appreciate the proactive alert I am a bit concerned with the “compared passwords associated” part of this message #plaintext 🤫
Conversation
That's not an indicator of plaintext passwords being stored by Glassdoor. Many companies now do this. They take their hashes and compare them to other hashes from hacked DBs that are now public. It's proactive, and this kind of message is usually pointing to password re-use.
13
21
271
Still seems to indicate that neither site is salting their passwords, no?
1
7
It doesn’t indicate salted or not. You don’t compare hash to hash. Instead, you take the breached cleartext password, run it through the same logic your site uses (which can include salt), and compare to the hash you have.
4
10
that implies they have the cleartext dumps, but I don't think haveibeenpwned, etc release that because then you could use it for your own credential stuffing attacks
1
Just because HaveIBeenPwned doesn’t release cleartext doesn’t mean it’s unavailable. Troy gets his data somewhere. 😉
1
Of course, I just assume that Glassdoor isn't really in the business of obtaining that data...although I could be wrong