UserVoice Security Incident Notification(community.uservoice.com) |
UserVoice Security Incident Notification(community.uservoice.com) |
There's a bit more info in this one about exactly what was compromised though. While I can understand the abundance of caution in resetting passwords despite only hashes and salts being lost, it is odd that they would "[presume] the attackers may be able to decrypt the passwords," assuming they're using strong encryption.
Here's a good blog post how and why this is problematic: https://www.troyhunt.com/our-password-hashing-has-no-clothes...
Further information: https://status.uservoice.com/incidents/fb7ml8b3nphf
Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak
Also, hashing != encryption
Interesting that they don't include strengthening their encryption (ok, hashing) in the list of steps they plan to take, but presumably they will.