Last week, natural language processing and corpora storage company LinguaSigma revealed that attackers had gained access to one of their production databases and made off with more than 10,000 email addresses and password hashes. Before long, the dumps were posted online, and lists of thousands of cracked passwords followed soon after.

On closer analysis, most of the cracked passwords were the minimum length of only 8 characters. It is of course possible that we have a biased sample: shorter passwords are easier to crack, and we have no way to know the length of the remaining passwords on the list. That said, the lesson to be learned is clear: if you let users enter short, insecure passwords, they will. If LinguaSigma’s minimum required length had been 10 or 12 characters, the hashes would be much harder to crack quickly, which would make this breach far less impactful. The exposure of thousands of email addresses would of course still be less than ideal, but without associated passwords the worst an attacker could do would be send out phishing emails.

The company’s response to the breach has been less than stellar. They were quick to notify users that their information was compromised, which is a good first step, but they have failed to mention any specific actions they will take to improve security moving forward. According to some outlets, Emilie McCauley, the company’s owner, has been spending most of her time on a new venture called Chateks, and may be considering suspending or closing LinguaSigma and bringing its employees over to work at the new company. While this would explain the half-hearted response, it certainly doesn’t excuse it.