[jameskpolk]

He didn't. The attacker helped out with a site that didn't use OpenID and doesn't salt their passwords.

And Jeff used an insecure password on both the "evil site" and his Open ID provider.

The attacker only had access to Jeff's hash because he had access to a site that Jeff used.

[zmimon]

To be explicit: the attacker was given trusted access to the password database on another site and violated that trust. The fact that the site used poor security and that Jeff was stupid enough to use the same password in two places doesn't mitigate it.

I was expecting the answer to be that Jeff somehow revealed his real password publicly somewhere, not that this idiot stole it from a database that he had trusted access to.

This would be grounds for instant dismissal or even legal action in my book.

[dinkumthinkum]

But that's irrelevant once your identity is stolen.

[zmimon]

It might be irrelevant to Jeff, but it wouldn't be irrelevant to me if I was the one employing this person to work on my web site.