Half measures are not solutions. Keeping insecure hashes on hand was the main mistake, full stop.
They'd still have leaked all of the insecure hashes of people who never logged in after the change in 2012 -- and that's still not good enough.
Immediate remediation means never keeping toxic hashes on hand, and never having to say to any subset of your customers "Sorry, but your password has been compromised due to our incompetence".
They'd still have leaked all of the insecure hashes of people who never logged in after the change in 2012 -- and that's still not good enough.
Immediate remediation means never keeping toxic hashes on hand, and never having to say to any subset of your customers "Sorry, but your password has been compromised due to our incompetence".