Well, first of all, it's very likely they used a botnet and some automated attack software. Secondly, there was a financial incentive[1] -- my back-of-the-napkin calculation was ~$15-25 per compromised account. That of course is ignoring secondary values like API keys, reused passwords allowing access to accounts on other sites, etc.

[1]: https://news.ycombinator.com/item?id=6766293