This title is incorrect. Credentials not stolen, usernames and hashed passwords stolen. That is not the same as having everyone's password. The title implies someone can easily log in to your account.
This is also not true, as if they used bcrypt (a key derivation function) the hash is salted, so even users using common passwords are protected against rainbow (lookup table) attacks.
as for brute force, yes attackers now know usernames, so can try brute forcing the live sites, or brute forcing each user hash.
I believe he meant the will try the top 100 most common passwords on each account on the website directly, resulting on "82% of users at risk", assuming 82% of users use one of these 100 passwords.
Strong brute-force protection (eg block account for exponential times) could mitigate this attack vector.
Why are you guys talking about live site and rainbow table???
The attackers have the salts and the hashes, they can brute force the hashes offline with [ocl]hashcat as they wish.
Top 100 passwords * 43M accounts is only ~4B hashes to compute. We don't know what bcrypt parameters they used but we're probably talking a few hours here, maybe only a few minutes.
to brute force the top 100 passwords, only the usernames were really required. can easily bruteforce the top 100 passwords on a live site.
you are right that it's now very easy to use dictionary attacks now, on all the credentials offline. and those with super weak passwords will have their accounts compromised.
