How? Don't the attackers have to know the password hashing
algorithm to
do that? If they have enough penetration into the system to know that,
couldn't they just capture the passwords when they were unhashed?
i.e. could it have been that they let paypal know they had been
compromised, so that a program they left on paypal's systems could
report the unhashed passwords when paypal told their users to reset
their passwords?
I don't know how it was done, but I'm pretty sure they grabbed the password
hashes, not the plaintext passwords. If the hashes weren't salted, they could have
just used a standard lookup table. It seemed to be a fairly sophisticated attack. When my
PayPal account was accessed, my email account was DoS'd by sending thousands of
garbage emails to it every hour, to prevent me from reading PayPal's email
notifications associated with account activity. It wasn't until later in the day that
I discovered independently what had happened, and realized why my email was being
DoS'd.