[ummonk]

Salting (which they absolutely should be doing precisely to make mass dictionary attacks computationally expensive) would make that infeasible.

More likely they're just checking against the stolen passwords database whenever the user logs in, as passwords are typically submitted in plain text.

[hasty]

Salting doesn't matter in this case. They're not finding a list of free-floating passwords and then seeing if anyone has that password; they're finding a list of accounts and associated passwords. So they only have to check that particular combination, just as they would for a regular login.

[ummonk]

D’oh you’re right.