[Smerity]

The issue is that if I were a hacker I'd have a program that: a) takes an email and password, b) checks if email is in ["gmail", "yahoo", "msn", "facebook", ...], c) attempts to access account using given password and then d) if successful, changes password / mines data.

This is not difficult. There may even be programs that already exist for this. The only difficulty would be not getting blocked by those services after a large number of incorrect attempts, but leverage services like Tor/EC2/botnets and that becomes a null issue.

With password hashing it would at least be _some_ amount of time between accessing the leaked data and havoc. Cleartext means disaster is instantaneous.