If they used a single salt, you would take one of the accounts you know the password to and run it through a Sha1 + concat w/dictionary.

But lets face it, for 6.5M+ leaked auth info with passwords likely duplicated across services like banks, paypal, ect... it would be way more cost effective to pay off a former employee who it can't be traced back to. Tell him he'll get a million, then right before he turns it over tell him 10k and if he doesn't turn it over, you'll give him up to the FBI.

Especially if you're some dude in Russia. Then 10 years later when you free your jailed Lukoil/Cayman island buddies from today's generation of black hat internet degenerates, you can fund the next Mark Zuckerberg and have Silicon Valley ignore all the horrible sh1t you did and treat you like a hero. "This guy made it out of the slums of St. Petersburg (clap) by the might of his keyboard alone"