Are the passwords salted using random salts? If not, rainbow tables are available for common passwords using common hashes, and the hashed passwords may well have been leaked from bitmarket.eu itself or a from a backup or any offline copy. And even if salted, weak passwords may be found using a brute-force dictionary attack against the hashed passwords list, even if it takes more time.

It looks like at least one user whose account has been hacked was using a unique but weak password. That would match this scenario.