They still could've STORED them in a different way in the backend (e.g. use the md5 hash as 'password' and then use pbkdf2) then the leak would not have been as much of a problem as it was.