> We learned that in some cases, the attacker was able to perform a series of steps that allowed them to gain access to customer names, usernames, and encrypted passwords. Despite the fact that the passwords were encrypted, it is very possible that an attacker can decrypt this information.
This is worrisome to say the least. I understand recommending people change passwords when the hashes are encrypted, even if the encryption was properly implemented. But if that was the case, there would still be no expectation that the passwords could be "decrypted". Seems to suggest UserVoice is not handling password storage in a secure manner.
> We learned that in some cases, the attacker was able to perform a series of steps that allowed them to gain access to customer names, usernames, and encrypted passwords. Despite the fact that the passwords were encrypted, it is very possible that an attacker can decrypt this information.
This is worrisome to say the least. I understand recommending people change passwords when the hashes are encrypted, even if the encryption was properly implemented. But if that was the case, there would still be no expectation that the passwords could be "decrypted". Seems to suggest UserVoice is not handling password storage in a secure manner.