The salt should always be random. If it's based on some account information it's possible that the salt can be regenerated if that account information would become available, in a DB dump like this for example.
If they had used different salts for every account, and that salt was published in this dump it would have been much more difficult to find identical passwords compared to the current situation.
I'm not sure how you can keep the salt random and secret, and still use it when users log in?
Salts aren't secret. The point of salting a password is to prevent the password (like "alskdjfalsdf") from always hashing to the same result (like "j9p+HwtWWT86aMjgZFLzYg=="). That prevents rainbow table attacks (among others) and it doesn't require the salt be secret.
If lots of sites all use user ids as a salt and all count up from 1 then a much weaker version of this attack applies: you can identify all the people who have both the same password and the same user id.
If this were common, someone constructing a lookup table for password hashes could include ones salted with the first N user ids. A N-times bigger table isn't something you'd be excited about as a cracker, but might still be practical.
If your user ids are randomly assigned this should be pretty much the same as generating a random salt. Still, the extra storage of a salt is going to be small compared to whatever else you're storing per-user, so better to do the safe thing and go with what's standard.
"I can't see why a user id could not be used as a salt though" thats exactly how people break crypto implementations, it seems ok but you dont really know. Don't just invent your own way, use the standard one.
The salt is typically stored in the password db, alongside the salted hash.
If Adobe has taken that approach, the intruders would have all the salts, but they would not be able to do this attack of seeing how many people use the same password.
However, Snowden's silly password hint would still have given the game away. If that is in fact him.
If it's random, you need to store it, and it becomes just as available on a leak. The salt still works though, because it makes all hashes different. You need to attack each password individually rather than tackling them all with a rainbow table or something. The approach from this article also stops working. What you use as a salt is fairly irrelevant as far as I can tell.
If you want to get more security on top of that out of your salt, the only thing I can think is to add some security by obscurity on top: If it doesn't matter which field in the DB you use, just pick an unlikely one and keep secret which one it is. Might be id, email, favourite pet, or something else. Just don't forget to update the hash when the user changes that field.
I'm not sure how you can keep the salt random and secret, and still use it when users log in?