The base password thing I think is because some password schemes only depended on the first few letters and used an insecure hashing scheme that makes it easy to decrypt what they were. They may or may not actually have the rest of the password.
(though of course some hacked sites stored full passwords in plain text)
There are many routes to password leaks:-
a) By far the most common is a database that gets copied somehow (usually because it does not have adequate protection) and the passwords are stored in plain text.
Storing passwords in plain text is criminal (and literally criminal in some countries).
b) Next up is the passwords are stored in a database but the passwords are hashed using a weak hashing algorithm.
Although password hashes are one way (there's no way to decrypt them directly) it is possible to try lots of different strings until you find something that, when hashed, gives the desired hash value.
MD5 hashed passwords (with no salt[1]) can be computed very very quickly, which means it is possible to work out the vast majority of weak (and even medium strength) passwords using a few hours of computing time. You can get even more once you throw multiple CPUs and GPUs at the problem and use precomputed fun things like Rainbow Tables[2] and the like.
c) Stronger hashing algorithms are better, but if one of your passwords has already been leaked once elsewhere then that can be used as the basis for more guessing. This is when people use 'base passwords' like the above.
Stronger hashing algorithms require more computation, which slows down people trying to guess (or 'crack') the passwords, but also requires lots more infrastructure at the company to support a steady stream of login operations.
This is also where botnets come in as they are sometimes used as a giant supercomputer to help crack the password hashes by spreading the work around hundreds of thousands of computers.
d) Even having the strongest hashing algorithms isn't enough if the hackers have managed to get access to the code on the remote site that handles the logins, and have been able to get away with making changes.
The password you send to login to a site is sent in plaintext, it may be encrypted over the wire due to SSL/TLS but it will still need to get to the login code on the other side in plaintext in order for the login code to hash it and check it against what is in the DB.
There have been cases where companies have had their code hacked so that the supplied username/password are intercepted during the login code operation and the username/password data is exfiltrated. No need to steal the DB here, or worry about the hashing algorithm, just get the plaintext username/password pairs every time someone logs in.
This is quite rare though.
--
This is why it's important to have unique passwords for each site and not part of a guessable scheme.
Ideally losing one password should not require you to change your password anywhere else (using a predictable scheme does require you to do this).
1.
https://en.wikipedia.org/wiki/Salt_(cryptography)
2.
https://en.wikipedia.org/wiki/Rainbow_table
