Many? Not all? Sounds strange.
The article says: "Another mitigating factor, according to KDDI, is that some passwords were stored in hashed and/or encrypted form"