As I understand it they zeroed out the start of the hashes they've already cracked (that's the speculation). I'm assuming that's being checked for server side?
According to LI they started salting at some point. Simple hashing obviously won't match in that case but I guess the crackers have the salts so they can do the leg work themselves.
Annoyingly LI say that they've invalidated passwords on compromised accounts but I can see that's not the case. My password hash is in the list (random 20 char pw) but they didn't deactivate my password (I've obviously changed it now).
According to LI they started salting at some point. Simple hashing obviously won't match in that case but I guess the crackers have the salts so they can do the leg work themselves.
Annoyingly LI say that they've invalidated passwords on compromised accounts but I can see that's not the case. My password hash is in the list (random 20 char pw) but they didn't deactivate my password (I've obviously changed it now).