Attack on schemes that wrap a plain hash (e.g. SHA-256) inside bcrypt. Attackers use large databases of broken SHA-256 → password mappings and test each known hash against the bcrypt layer; when a match is found the bcrypt password is known without bruteforcing bcrypt. Why HMAC (with a secret key) is preferred over a plain hash when preprocessing passwords before bcrypt.