Researchers at Carnegie Mellon University studied the efficiency of password-related breach notifications. They found that only about a third of users change their passwords after a data breach. The researchers recommend that companies revamp their breach notifications to include more information on effective password resets. They say that companies hash and salt their passwords to avoid credential-stuffing and rainbow-table attacks that target plaintext passwords. Government regulators should make password reset requests mandatory for all companies that sustain a data-breached data breach and create incentives for two-factor authentication.”]
Source: https://www.cuinfosecurity.com/study-breach-victims-rarely-change-passwords-a-14370