But to rely on an algorithm that's been compromised for years for mass hashing is utter negligence.
Yes, and there's going to be no shortage of people pointing it out. So far, I've only looked at the data for Anonymize; it's possible that passwords for other services are using something better.
That being said, all hashing is just designed to buy time. Even if they were using bcrypt or argon2, the passwords would get out eventually. People should be changing their passwords regardless.
The biggest challenge for them in the near-term is going to be locking everything down. Again, I've only glanced at the data, but they appear to have a massive attack surface with a lot of moving parts. I suspect there's no shortage of holes, and there are going to be quite a few people combing through the dataset looking for additional vulnerabilities.
So, isn't this like, FederatedIdentity.com is the 3rd party, and then Epik.com stores pw in plaintext so that FederatedIdentity.com can authenticate it? And if that's the case, aren't all those Google+FB logins on unrelated websites extremely dangerous?
To give you an example, NamePros processes payments through Stripe. In order to authenticate with Stripe, a third-party service, NamePros needs to store a password in plaintext--not
your password, just
a password, one provided to use by Stripe. There's no way around that.
I don't know what the plaintext passwords I saw were intended to be used for, but there weren't many of them. The user accounts were using MD5 (which might as well be plaintext).
What are real roots (motivation) of these attacks?
Competitors, discrimination, Trumpism etc. or what?
Epik must consider it firstly.
Nobody is going to know until it lands in court. It's also by far the least important aspect of their immediate response, since their priorities should be securing their infrastructure and notifying affected parties.