How do these guys crack the password belonging to a given user name ?
I mean, for example the forum allows 5 retries for entering password and user name. Then the account belonging to the user name(If it is correct) gets blocked. So, there is a timeout that must pass in between entering passwords to prevent from being blocked and locked out.
The server stores the password in the database, and the database gets compromised.
In this particular attack, the hackers used SQL injection, to cause the servers to return the list of usernames and passwords.
Because the password file/table is such an obvious high-value target, it is very strongly recommended that the passwords not be stored as is, but instead the hash is stored. This way, if the hash is compromised, there is no simple way to reverse the hash process and recover the password.
Except that doesn't really work these days. You can build a dictionary of "likely" passwords and their hashes. The hackers can then lookup the stolen hashes in their dictionary.
To really foil that the recommendation is to store a "salted" hash. In this case, a random string is stored with the user name, and added to the supplied password before hashing. So, the server might store "user:BillG1; random:hgfws9rgb123kdyhf23bkivi823; hash: <hash of hgfws9rgb123kdyhf23bkivi823!ReallyStrongPa$$w0d!>"
The presence of a random salt for each user means that it is not practical to use pre-calculated dictionaries for bulk cracking.
However, it is still possible to brute force individual passwords one at a time. You simply compute a ton of hashes based on "likely" passwords until you find one that matches. Not really practical on a CPU, but technology moves on.
Remember, hashing is a easily parallelizable problem. GPUs are thousands of times faster than a CPU. FPGAs are multiple orders of magnitude faster than GPUs. I wouldn't be surprised, if there are even now ASICs in use by forensic services, data recovery companies, government black op units, etc. Remember that bitcoin mining is basically just brute-force "hash reversal", so there are hugely efficient, hyper-optimized GPU and FPGA code readily available for SHA256 (which is a hugely popular password hashing algorithm).
Because of the ready availability of ultra-fast hashing technologies, best practice is to use a special ultra-slow, high-resource function instead of a conventional hash. PBKDF2, bcrypt and scrypt are examples of these - scrypt in particular was specifically designed to be hard to parallelize due to massive RAM and RAM bandwidth requirements. Because of this, it is relatively slow on GPUs, and impractical on FPGAs (a top end GPU would likely only be able to do 50 khash/s in scrypt at its minimum recommended difficulty level - you could brute force the easiest passwords with a dictionary, but anything more is utterly impractical. By contrast $1000 worth of FPGAs running SHA256, would likely be getting close to 5 Ghash/s range).