The authentication mechanism requires a new nonce and new signature with each login. The only individual who can create the signature is the wallet user. If the web site DB is popped, the attacker only get wallet addresses or hashed of wallet addresses… which are useless without the private keys… which never leave the authenticated user’s wallet.
This process is similar to ssh public key auth.
Here’s a decent randomly found write up:
It’s very different than using a username/password database for authentication. The server doesn’t store anything that’s useful to an attacker. However, if a user loses their wallet somehow, the website has no method to retrieve the account. So, some websites offer both methods of authentication.