16 years without reviewing password security seems like a massive oversight. A major leak like this it's a high price to pay to learn this lesson.

The really bad thing is that md5 was considered broken in 2005 by security people like Bruce Schneier.

To be fair to them it took till around 2008 for this to become widespread opinion but the signs were on the wall around 2004

You believe sha256 would drastically improve password hashing, being a not broken hash function? In 2006 they likely ran php4 and didn't have much choice what hash to use.

for 2006 that's actually not bad.

When I joined my first company in 2010, to my horror, they were using plain text passwords for users

My first company was using MySQL’s OLD_PASSWORD() function in 2013 — straight, with no salt or spice of any kind — in its 64-bit glory. Horrified, I did some research and threw bcrypt up there right away. Not sure if it was my my first commit, or the branch fixing 20 or so SQLIs was the first. I became my company’s software security expert out of sheer terror.

Yeah, just last month I was shocked to see a shop where I forgot my 2017 password, to send it to me. in plain text. by e-mail. (at least IIRC they used HTTPS on their website !)