> won't give him access to more then he already has.
That is very incorrect. A lot of hash leaks happen when an attacker can read data. but he can't necessarily edit it or even make sense of it. Also, the attacker usually does a quick download, then _sells_ the data.
So, imagine your Twitter password was leaked. The original attacker a) likely doesn't have write access, and 2, is just going to sell the password hashes.
The real worry is the buyer, who buys the hashes, to log in as you and do anything.
This is how youvebeenpwned works. He actually finds leaks of hashes on the dark web.
That is very incorrect. A lot of hash leaks happen when an attacker can read data. but he can't necessarily edit it or even make sense of it. Also, the attacker usually does a quick download, then _sells_ the data. So, imagine your Twitter password was leaked. The original attacker a) likely doesn't have write access, and 2, is just going to sell the password hashes. The real worry is the buyer, who buys the hashes, to log in as you and do anything.
This is how youvebeenpwned works. He actually finds leaks of hashes on the dark web.