1. A decommissioned website was still online and vulnerable to some exploit.
2. The passwords were apparently stored in the clear.
3. In addition to the notification email, the front page of the website has a tiny banner in the bottom left corner to notify its users of the breach.
Here's the text of the notification email: