The Dell breach announcement (2018) specifically mentions "email addresses and hashed passwords" — why is this distinction worth emphasizing?
"Hashed" tells customers their plaintext passwords weren't exposed — but it's not a free pass, because hashes can still be cracked.
What attackers got:
- Email addresses (full plaintext)
- Hashed passwords (one-way encoded)
What this means for users:
- Strong, unique passwords → likely safe (cracking infeasible)
- Weak/common passwords → will be cracked within hours via dictionary + rainbow tables
- Reused passwords → attackers will try them on every other site
Why companies highlight "hashed":
Legal and PR reasons. Plaintext password leaks trigger:
- Mandatory disclosure under GDPR, US state laws
- Massive reputation damage (think Adobe 2013, RockYou 2009)
- Class-action lawsuits
Hashed leaks are still bad but signal the company did the right thing. The remediation is also simpler: forcing a password reset.
The catch:
"Hashed" alone isn't enough. Companies must also:
- Salt each password (so identical passwords produce different hashes)
- Use a slow hash (bcrypt/Argon2, not raw SHA)
- Use modern algorithms (not MD5)
If the leak was MD5-without-salt, "hashed" basically equals "plaintext within a week."
Tip: Always check haveibeenpwned.com after any major breach to see if your account was affected.
Go deeper:
Threatpost: Dell warns of attempted breach — quotes Dell's exact "hashed passwords" wording and the reset response.
Graham Cluley: Dell breach / password reset — why "hashed" matters and why reuse is the residual risk.