“You could have the hardest-to-guess password, salted and hashed thousands of times, and still be at risk.
That happened about a year ago at Dropbox, for instance, when the file-sharing site inadvertently removed its authentication validation altogether for a few hours. Anyone could use any password.
It’s happened again, this time with a more corporate angle.
Open source database giant MySQL (and its post-Oracle fork, MariaDB) contained a bug which meant that your password might be checked correctly only 255 out of every 256 times. One in 256 times, anything might get you in”
"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions…"