I was a bit disappointed to read that the passwords were referred to as having been "cracked" ("gaben ... bekannt, dass Passwörter von Privatkonten geknackt und im Internet veröffentlicht worden seien" = "... announced that passwords of individual accounts were cracked and published on the Internet") when in fact it appears that the passwords were obtained through phishing ("Hotmail, Yahoo und Gmail erklärten übereinstimmend, dass die Zugriffe auf die persönlichen Daten nicht durch Lücken in den Sicherheitsprogrammen, sondern durch Phishing zustande gekommen seien. Dabei werden Nutzer etwa mit betrügerischen E-Mails zur Preisgabe geheimer Daten gebracht." = Hotmail, Yahoo, and Gmail explained unanimously that the accesses to personal data was gained not through holes in the security programmes but through phishing. This means that users are asked to divulge secret data, for example, through fraudulent emails.).
I'd say that "cracking" is applicable if an encrypted password is deciphered, a hash reversed, or a password brute-forced by attempting to log into a given account again and again with different passwords until the correct one is determined. But if a password is phished, i.e. divulged in plain text by a user, I wouldn't call that "cracked".
Semantics, perhaps, but I was a bit annoyed at the use of that word in that context, and I'd call that poor journalism.
(Especially that I don't think that anybody would say that the usernames were "cracked", even though those were also obtained in the same way as the passwords -- and in some cases, a username can be nearly as secret as a password.)