It is OK to suggest users to change their passwords, but shouldn't they stop sending their session cookies over plain HTTP? Session hijacking is now widespread and an easy way to get into non-important accounts and then escalate to more interesting accounts.
PS: I'm leaving this comment without any reference to the site name, so I can copy and paste it verbatim in the future; it looks like this kind of breaches will not stop soon.
PS: I'm leaving this comment without any reference to the site name, so I can copy and paste it verbatim in the future; it looks like this kind of breaches will not stop soon.
Be aware that there is the possibility[0] that HN's (or other sites') anti-spam features may detect a copy-pasted post as duplicate or artificial content, and kill it and/or your account. It's probably better to add a link to the original post, with some article-specific text.
[0] Based on speculation and inference, not actual knowledge.
[1] https://www.owasp.org/index.php/Session_hijacking_attack
PS: I'm leaving this comment without any reference to the site name, so I can copy and paste it verbatim in the future; it looks like this kind of breaches will not stop soon.