If you account for speed increases over the last 10 years and assume the password thief has access to a botnet, then it wouldn't surprise me if they've found collisions for the entire list.
Edit: Nevermind, the link finds two strings that hash to the same thing; it does not find a string that hashes to an existing hash.
The collision generator behind that link does not implement a preimage attack (given a string X, come up with another string Y with the same MD5 hash).
Instead, it implements the much easier collision attack (come up with two strings that have the same MD5 hash).
This site from 2006 claims they could find collisions in an average of 45 minutes on a 1.6 Ghz Pentium 4: http://www.bishopfox.com/resources/tools/other-free-tools/md...
If you account for speed increases over the last 10 years and assume the password thief has access to a botnet, then it wouldn't surprise me if they've found collisions for the entire list.
Edit: Nevermind, the link finds two strings that hash to the same thing; it does not find a string that hashes to an existing hash.