While what you write above about MD5 is true, but it does not address the problem of password security on a compromised site.

1.) MD5 is outdated and deprecated, as successful attacks on MD5 have been demonstrated more than 4 years ago. Look this up in any recent book on computer security - or just go to wikipedia. I quote: "On 18 March 2006, [Vlastimil] Klima published an algorithm that can find a collision within one minute on a single notebook computer, using a method he calls tunneling."

How anybody can still use MD5 in critical applications is beyond me. You should switch to SHA. For SHA-1, only theoretical attacks exist, for SHA-2 no known attacks exist.

2.) Salting offers only minimal protection against weak passwords. Everybody with a short password (less than eight characters) should be aware that a brute force attack will uncover it in a few hours (total time for yours and any other similar weak password in the system). Since it is a brute force attack, even a password like "gHj87Q" offers no protection. Also, dictionary attacks can be quite successful - how many of you have a common English word or name as a password? Those take minutes.

3.) A system that has been compromised as far as having backdoors installed, should never be considered safe until reinstalled or restored from a known good backup. Evidence that "they never accessed the database" may be false, since the backdoor application could as well have scrubbed the log files to hide its tracks - very common, btw.

And yes, I do system security for a living.