For any individual/organization remotely competent at security (i.e. not using Passw0rd! as password and reusing elsewhere), a leak of hashed password is probably the least of concerns. Compared to this anyway:
> According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.
former Heroku employee, though long long long ago, with no specific knowledge about this incident, but...
We did so much work in open source it was just easier to assume everything was always publicly viewable, or that what you were doing now might be open sourced in the future along with the full commit history. Whether something was private or public was more a business decision around competitive risks and not a security-led one. To that end I'm far more concerned about a database and passwords getting popped.
But who knows, a lot can change in 10 years. Maybe private repos being exposed is also very bad.
> According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.