It’s important to note his point that the 6.5M leaked passwords most likely represent only ‘unique’ passwords, not total passwords, meaning the number leaked is probably far higher (not to mention that probability that the hackers responsible also have unpublished email addresses, contact lists and more). LinkedIn’s response has been luke-warm at best and reserved at worst, so it might be a while before the full extent is revealed.
“On a system with many users, the chances that some of them have chosen the same password are pretty good. Humans are notoriously lousy at selecting good passwords. For the evil attacker, that means all users who have the same hashed password in the database have chosen the same password, so it is probably not a very good one, and the attacker can target that with a brute force attempt”.
“This became a problem and was solved in the 1980s: To fix the problem, we have to make sure that users do not have the same hash-value stored, even if they have the same password.”