Password Re-user? Get Ready to Get Busy

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

Re:How do they know they are the same?

Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.

The password lists aren't encrypted. They are in the form of: login_id:password (ie: bob@example.com:example)

What Netflix, et. el. are doing is taking the list, noticing that they have a user with the same login_id (bob@example.com), and taking the password (example) and hashing it in the same way that their authenticator does. If the hashes match, then they send the user an email saying "Reset your password"