The headline is a bit sensational. The official release is "we believe that at least some user data was exposed in the attack", and they advise everyone to change their password if it has been reused. It could be a lot less than the password hashes, though. We know that they accessed through a mod account, so we know that they had access to all emails (for confirmation emails at registration) and birthdays (required for COPPA compliance, but there's usually no sanity checking on that - I think you can say that you were born in 1492 if you like) without escalating further, but it could easily be nothing more than that.
Password hashes were MD5 with an individual user salt, so no rainbow tables - you have to crack each account individually. Reading through, MD5 is not as broken as it might appear at first. It is possible to find a collision in 2^24 (which is BAD for a 128-bit hash, don't get me wrong), but that only means that you can log in to MacRumors forums - you can't use that to log in to another site where you have reused that password. If you are somehow famous and your email address is known, then yes, they might bother simply brute forcing your password to try to reuse it, but MacRumors has enough accounts that the rest of us are likely to be able to hide in the masses.