I have questions with the Magical Tux story of what happened.  I would like to know the truth of the hacking incident.  If there was a financial auditor possessing the database for financial reasons what business did they have with having the password file.  I see no reason for a financial auditor needing the password file.  They only need the portions of the database that reference transactions and account numbers.  Whenever I work with the government and I have been involved in many audits from an IT perspective I only give the auditors the information that is needed for the audit and no more records then are needed.  Users names, email addresses and password hashes would be out of the question in an audit.

-Dukejer