Let me make sure I have this straight, they essentially had a list of potential keys for the hashes, and all they had to do was brute force different capitalizations for the hashes to figure out which belonged to which? It sounds like they just brute forced them after greatly, greatly decreasing the number of potential inputs via other vulnerabilities with the way the site managed passwords.