[minimaxir]

Big companies often have legacy systems which were architected before password dumps were a regular occurance. You can't just implement strong password hashes on those systems without causing issues or paying a large amount of capital.

[davismwfl]

I agree you can't implement a strong password hash on some legacy systems and that replacing them is capital intensive which may not even be possible in some cases. However, that doesn't stop good security procedures to isolate those systems, add layers in front of them and minimize the attack vectors. Even the act of air gapping certain legacy systems is the right move, it at least minimizes the attack vectors, and can keep costs reasonable.

So if the company cares about security there are ways to layer it in and provide a robust solution (albeit not necessarily ideal), but many times they just don't care enough to make it a priority.

[QuantumLogic]

How does that explain Uber's data breach?