I started writing about application security after I realized there is so little information available publicly so I had to conduct my own researches while it was obvious that other people have done the same things already. The problem still exists because most publications are aimed to expert audience. However, information security is not a theoretical science but rather the art of combining computer technology with human communication and psychology. Basic security principles are simple, they just need to be explained in layman’s terms.
The National Childbirth Trust (NCT) sent a message saying their email addresses, usernames and passwords had been compromised.
"Encrypted" is very vague definition. If the passwords are just hashed by one of basic hash functions like SHA without any additional security measures such as Salt or/and multiple rounds of hashing, cracking such "encryption" is very easy task. It can be done by using brute force or/and rainbow tables or/and dictionary within seconds, minutes, or hours depending on how strong the password is (and I don't anticipate users of this website creating very strong passwords).
So what I don't understand: why didn't they immediately invalidate (delete) all the records in order to force users to change their passwords?
Security Analogies Project is very interesting initiative which I discovered while reading Ben Rothke's excellent article in CSO Online.