The salted crypt() hashes are more difficult to crack but so far I have found 2706 out of 59236 passwords of the database by just one hour GPU dictionary-based cracking.  It can be safe to assume that the attacker was able to crack similar number and could control thousands of accounts.