We can't know for sure since they aren't divulging their source, but some of the services listed are too sophisticated (esp. Gmail, even if you don't believe in competency of those who run Hotmail) even to store passwords in cleartext anywhere.
If I had to guess at how they obtained these passwords, they did it by actual hacking of the accounts (or somehow got a hold of the password hashes to run faster attacks on), and in that case, the accounts with weak passwords are the low-hanging fruits; of course the list will contain many, many weak passwords subject to various dictionary attacks.
This doesn't explain everything, since looking through the password list, I do see a few that actually look randomly-generated, such as "Zt8bNOI655" (maybe they used keylogger trojans in addition to other methods), but unless use of dictionary attack of any form can be ruled out, statistically, this list is worse than worthless—it's downright misleading, unless the only claim made is that there still exist users who use weak passwords.