Therapist: you need to focus less on the things that are outside of your control, and come to accept the fact that there are some things you just can’t change.

Me: crying you mean some things just be what they be?

That’s correct, let’s say a database was breached and the hacker has every user and their password hashes. They can login with testuser@email.com with password “password123” and see if the generated hash matches any other user’s password hash. If so, they might be able to hack many accounts with the same password or even reverse engineer and decrypt every other password.

Developers can make the hash more secure by adding arbitrary characters to the password (aka a salt), and this becomes the site’s “authentication algorithm”. But if the hashes are stolen, it may be a matter of time before the algorithm is figured out, which leads to updates, which leads to your pre-existing hash no longer matching.

There could be many reasons they don’t prompt you to change: they meant to send an email but your notification preferences disallowed it, they sent an email and you missed it, they wanted to keep it quiet, they forgot to add the message and ux flow to change password, or they’re incompetent and didn’t know they needed to do that.

The Epic thing I’ve never seen before but that’s definitely incompetence and/or a very weird bug that just slipped past them.

If there were a data breach where a hacker could figure out the encryption algorithm, you don’t want users to reuse an older password because those older passwords could’ve already been cracked.

By the way, this is why you should also never use the same password for every site. If one of your passwords is leaked and linked to a similar username or email, everything is vulnerable. I’ve had this happen before (the Target breach). After that I started using SSO exclusively, with a random 16 char password manager if SSO isn’t an option (crossing my fingers that bitwarden doesn’t get hacked like LastPass)

This’ll happen if there’s been a suspected data breach with poor password encryption or requirements. Gotta be safe and change the algorithm, breaking everyone’s existing passwords. But yeah, it is annoying…