Busted accounts - does it really matter?
Most people only sign up to websites in order to gain access to the trough of free downloadable stuff. The account being the "deal with the devil": you get a 30 day trial of their product, they get to spam you to oblivion with offers, discounts and deals (none of which you ever had any intention of accepting).
Whether or not you have the integrity to supply true and valid log-in details is also debatable. If you simply regard a vendor's attempts to get into your inbox as an annoyance you could well have typed the first thing that came to mind - I expect that a significant number of these stolen accounts list Afghanistan as the country in users' addresses, for that very reason.
You'd hope that the level of security surrounding accounts is a step or several below the security that contains any credit card info (though there should never be any CC data that's not behind industrial strength protection). So the value of all these accounts, probably with multiple accounts for each trough-feeder, should be very small. Apart from having simple passwords - matching the value that individuals place on these accounts - I wonder how many "users" have equally simple names. Maybe most of the 1.9 million "123456" passwords were protecting "Mickey Mouse"'s account.