There are a wide myriad of ways that plaintext can be derived from password hashes. Rainbow tables are an option if they're not salted; otherwise the attackers likely had access to fairly significant computing power (considering the amount of money they were raking in) to perform typical dictionary + bruteforce attacks on them.
