Buried down the text, they have the plausible deniability disclaimer:
"As Lee notes, the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points."
Of course "credentials have been exposed": the vast majority of sites have been hacked. It doesn't mean this person used the same credentials everywhere, AND that they didn't use 2FA, AND that the credentials matter in the first place. And, of course, this has absolutely nothing to do with malware.
Shame on you ARS for publishing purely speculative posts.
Buried down the text, they have the plausible deniability disclaimer:
"As Lee notes, the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points."
Of course "credentials have been exposed": the vast majority of sites have been hacked. It doesn't mean this person used the same credentials everywhere, AND that they didn't use 2FA, AND that the credentials matter in the first place. And, of course, this has absolutely nothing to do with malware.
Shame on you ARS for publishing purely speculative posts.