So while letting his database fall into the wrong hand was one of his many mistakes definitely, it wasn't the key. The most damning was using plain unsalted un-iterated md5 to hash his passwords. That meant one single run of md5 would be sufficient to brute force the entire database. For those who already have existing rainbow tables, it will take seconds to crack weak passwords. For those who don't, it takes only minutes to few hours to generate the rainbow tables for weak passwords (up to say 8~9 characters) making it very profitable to do so.
Actually my account's password there was hashed with md5 salted crypt algorithm ($3$salt$hash)... which makes me believe also, someone had that db for quite a while. The added difficulty would represent one thing; the attack may not happen when it happened, but somewhere in the future... thus the attack would come to place either way.
Going to fire the VM now and will work on it a while.