Just got one of those e-mails myself.
While my password was low entropy (just reset it) - I have not used it anywhere else.
There is no other way my e-mail + password combination that was sent in this e-mail was harvested from anywhere else but Airliners.net.
So either someone is doing brute force attacks and harvesting profile data from successful brute force attacks (my password was way too easy I admit it, but I haven't been to Airliners in ages) or someone gained access to your profile database. While it is possible that data was gathered in transit I'd think it's less likely.
As far as hashing algorithms and password storage are concerned - it is perfectly understandable not to share this data to a potential adversary and is considered good practice. My concern in this regard would only be that you are using something sane (scrypt, bcrypt, PBKDF2) and not an MD5 hashing algorithm. As is stands my (and others) password seems to have been recovered from Airliners.net and you should seriously look into how this could have happened.