I saw one darknet site where they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world but absent a whistleblower or a helpful hacker no one would find out.
(I'm not clear if they were being run by the police when I showed up, or if that was an extortion technique, but it's been over two years since that adventure, so the CFAA has expired and if someone takes issue I tried to take down a den of hurtcore creeps because one of them obstructed my job search before the portmanteau had been popularized, form a line to my left so you don't interfere with the baristas taking orders, as I operate in the clear and I will not abide absolute scumbags who abuse their access.)
> they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world
Oh yeah I know the re-use is common, I more meant the technique of purposefully not hashing or disabling hashing to compare hashes across services and connect users.
(I'm not clear if they were being run by the police when I showed up, or if that was an extortion technique, but it's been over two years since that adventure, so the CFAA has expired and if someone takes issue I tried to take down a den of hurtcore creeps because one of them obstructed my job search before the portmanteau had been popularized, form a line to my left so you don't interfere with the baristas taking orders, as I operate in the clear and I will not abide absolute scumbags who abuse their access.)