How does a ‘data leak’ even compromise passwords? They should only be stored hashed (and so unreadable).