The list that was posted has apparently been removed (if you can get to the site, which seems to be under heavy traffic with people looking for it). Furthermore:
While it's difficult at this point to definitively know how the hackers acquired the material, Chris Davis, a cybersecurity researcher and fellow at the University of Toronto's Munk School of Global Affairs, hypothesized that one likely possibility, based on the information contained in the leak, is that the hackers made use of a botnet. "The list of credentials [in the published list] fits that bill pretty well," he explained.
Malware explains the odd collection of websites, relatively small number of accounts, and supposedly-plaintext passwords. So anyone affected who changes their password will just have that new password picked up unless they've exorcised their computer.