, JoshRoss wrote


Even if the passwords were hashed with salt, if you have six million of them, you could likely guess the salt from the distribution.

Not really, salts should, ideally, be unique. Even if they used the email address you're going to have a slow old time with rainbow tables, or precomputing.

Even if they used a single salt it's not really guessable as far as I can see.