Well, they use SHA512-CRYPT, as far as I understand. And their status site update corroborates that.
Of course, if they only do one round of SHA512-CRYPT, then it is still pretty trivial (a day or two per account) to crack the password I guess.
In my opinion they should reset passwords upon...