Chances are, the hackers have a good majority of the passwords, given that they got the hashes/salt, they would have had some time with some decent gpu hardware to crack the weaker passwords.So what is the probability that the passwords we used here are floating around? Our email addresses, should we expect to be on spam lists now too?
Also, for all we know, the hackers could have compromised the site long ago, and only chose to actually show off the pwn just the last week. If they did, There is a possibility that the login form was modified, to capture passwords into a log somewhere. Regardless of whether thats the case or not, lets just assume the hackers may have a good chunk of the passwords already, and suggest that they be changed.