My point was, if they hash properly, a simple db dump is not a big deal (although obviously considering the password compromised is sensible, and password reuse is a bad idea which is not a proof people don't do it).

I'm signing out of this thread as my point seems to have been lost somewhere. Thanks for the interesting link though.