What about the user database? Was it compromised? I'd hate to see bitcoins sent to the wrong address.
I have a database snapshot taken before bad guys overtook the database. So there's no reason to think payout addresses have been modified. Any change of wallet on pool profile requires email confirmation by account owner so I think we're on safe side here.
Unfortunately the user database can be considered as compromised, so the attacker knows user's emails :-(.
How were the passwords hashed?
never answer that!!!
let me rephrase: were the passwords securely hashed?
And salted?
Not to preach to you, but this is a perfect example why everyone should use unique passwords on every website.
I personally use 20+ character randomly generated passwords thanks to LastPass. Makes secure password management so easy.
I am assuming the worst that they wore not hashed and salted. No word on the matter suggests that is possibly the case? I'd like to know either way. Embarrassing as it may be.
Slush has been doing this for years, and it is 2013 not 2008. We can all safely assume that passwords were at least SHA hashed and salted.
No word on the matter is because the man is slaving away, on no sleep, to get everything back up and operational after a severe inside-job hack attempt.
Many props to you Slush, your efforts are greatly appreciated!