Fundamentally, this isn't a high-risk situation. If the password controlled something vital, then sure, force the reset on everyone. But what's the worst someone can do with my Kickstarter credentials? They certainly can't spend any of my money, that requires my Amazon password as well.
Isn't that the information that resulted in Amazon and Apple accounts being compromised last year? Perhaps those two have fixed their procedures to prevent that from happening again, but other companies may not have been pro-active. And even if proper procedures are in place, all it takes is one little screw-up.
My guess is that it was a CPU cost decision but I'm curious anyway.
Any chance you could give us information on what kind of attack vector was used?
The purpose of a salt is to defeat rainbow tables (either global, as in unsalted MD5, or site-specific in the case of a fixed salt for a whole site); nothing more.