This is a weird use case (deliberately making the hash public) and the usual concept of a salt feels weird here. Any kind of server-side secret would have effectively stopped this attack, even if it was the same in every hash.