The site was hacked because Josh added a shitty insecure chat applet to the site which was otherwise totally secure.

It was an XSS exploit that allowed session stealing. This means that the attacker was able to log in as other users and potentially reset passwords. The attacker ATTEMPTED to download a list of username/email/IP/password-hash of all users but it failed with an error instead.

This means that at worst the attacker may have reset some users' passwords. But the site will be restored to an earlier backup before those resets. So the attacker basically accomplished nothing. And everyone just needs to re-log in after the site comes back up.

Despite all the FUD being spread by OP and Josh himself, the attacker did not get full passwords because sites don't typically store full passwords. Sites store hashes based on the passwords. At worst the attacker has hashes, emails, and ip addresses. But probably not even that because as Josh has stated the download failed.