[ceejayoz]

In general, you don't. You store hashes. Exceptions sometimes apply when it's a credential used to access some other system - for example, Plaid's gonna have to store your bank account password to scrape it - but there you'd at least hope for encryption.

Media coverage tends not to get the distinction right, so it's always hard to tell if the company fucked up or the attacker is exaggerating on early coverage.

[T3OU-736]

(Assuming this is what you meant by *but there you'd at least hope for encryption*, but expanding to verify): Even in this case, it seems unreasonable to store the password. Rather, the user's Plaid login should act as a part of multi-token access setup, where Plaid's backend services' tokens can also be used to decrypt the user's credentials in order to authenticate to those other service.

In short: even then, storing plaintext passwords seems... like choosing convenience for security, and that seems very wrong.

[poizan42]

Nobody said the passwords weren't hashed

[ceejayoz]

The article states "the group provided 100 credential pairs". That indicates one of a couple things; a) lying attacker providing old hacked accounts, b) unsalted or weakly salted credentials vulnerable to rainbow tables or brute force or c) plaintext storage.

[DistractionRect]

Or it's just credential stuffing matching email with plaintext passwords from other old breaches, or they created 100 accounts and thus know the password, etc.

Until a more detailed investigation/write comes out it's difficult to say for certain what they have, if anything.

[taeric]

It could also be colloquial use of "credential pairs." In that it could be that they were, in fact, hashed; but the report went with a quick verbiage to say they were leaked. Especially considering that most hashing/encoding tricks will go out of date and many common passwords will still be as effectively leaked.

[prepend]

Hashes aren’t passwords. So if they only have hashes, they don’t have passwords.