Some bad guys (and it doesn't have to be many) specialise in taking credentials that were leaked (e.g. "bob@example.com has password Superman45") and trying them on every service they can to "crack" more accounts. This is called "Credential stuffing".
Since this can be heavily automated the returns don't need to be large. e.g. maybe you can spend $100 and crack 5000 accounts with a new site that's suddenly hot, you sell one of them with a cool name to some Russian wannabe-star for $50 and the rest to spammers for 10¢ each (you don't care why spammers want stolen accounts, trust me they do though), you just made $450 for almost no effort.
If you use unique passwords everywhere, you don't need to care very much. But most people do not do this. If you _mostly_ use unique passwords, but er, actually your Twitter, a PHP forum you used back in 2010 and your iTunes account all have the same password, when that PHP forum gets hacked credential stuffing means your Twitter and iTunes will soon be raided.
If the site used a _good_ hash, it buys you time in proportion to a combination of how good your password was (how much entropy) and how good the hash was (how expensive hash trials are, multiplied by how much salt was used). If your password was "pass1234" then no matter how great a hash was used, I can guess it was "pass1234" and be correct instantly. If your password was 24 random alphanumerics then even a crap hash like MD5(password) is safe.
And if you use 2FA, then it raises the cost of compromising your account to that of a targeted phishing attack at worst. That's an entirely different threat model.
