For example, see this story. Am I missing something here? Are the login details actually still encrypted?
I don't understand how it is possible for a data breach of what I assume is encrypted information (GMail, Yahoo etc) to end up in an exploitable form (which I assume is only plaintext?).
Passwords should not be encrypted, they should be hashed. Encryption can be easily reversed if you have the key - and an attacker who has managed to steal the whole database probably has stolen the key as well. A hash can not be easily reversed.
When someone attempts to login, the server does not decrypt the stored password. Instead it hashes the provided password and see if it matches the stored hash of the password.
So if a hash function is designed to be hard to reverse, why does the passwords end up in plaintext? Because of brute force attacks.
If you have a hash, you can simply try to hash all possible passwords and see if you get a match. You might have to try a couple of millions before you find a match, but sooner or later you will. If you use a list of common passwords and try those first, it will be quick to break common passwords such as 123456.
To keep your passwords safe, you need to make "sooner or later" mean "so late it is not worth the effort". That is done by using hash functions deliberately designed to be slow even on modern hardware, so that trying millions and millions of passwords would take years or even millenia.
However, a lot of sites either use bad hash functions (that are fast, and therefore easy to brute force) or even worse - they just store the passwords in plain text or just encrypted. Therefore, a lot of passwords ends up in plaintext in the hands of hackers.
For more information on hashing, I recommend this question.
Given the thin details in the story it's hard to be sure, but the simplest explanation is the credentials were not encrypted when the hacker made a copy.
The passwords might have been encrypted in a database, but many so-called 'transparent' database encryption schemes serve only to protect the database file from being copied and reused; they transparently decrypt the data to clients who access the data through the engine with legitimate credentials. If the hacker retrieved the credentials through a query using those credentials (perhaps by abusing some internal service designed to email people their forgotten passwords), he would have retrieved the passwords in the clear.
It's also possible the passwords were stored as 'unsalted' hash values, so they would be vulnerable to rainbow table attacks.
Mail.ru is an old service that has been around for decades. If they've never modernized the security of their user/password database, any of these old password storage schemes would have been possible, leaving them vulnerable.
Because Google and Yahoo generally know how to do security right, yet were mentioned in the article as having been violated, something else may be going on. As the article mentioned Russian and Chinese services, we can speculate they may be subject to rules requiring email services to turn over actual user passwords to government or law enforcement agencies. That would mean the companies would have to store passwords in a recoverable way, such as encryption, instead of using a strong password hashing algorithm such as PBKDF2.
It's also possible that the Google and Yahoo accounts fell victim to shared password attacks. After having learned ivan@mail.ru's password, they could have simply substituted ivan@gmail.com and ivan@yahoo.com and tried them that way. But verifying millions of passwords would likely catch the attention of the security teams at Google and Yahoo.
Again, this is speculation based on weak details, but all of these attacks have happened in the past to different providers.
