Theoretically the passwords should be stored encrypted by vbulletin. If AT chose not to use that standard option, they are doing a great disservice to all users.
Even the administrators and DerekWilson should not be able to get our passwords, only reset them.
Most websites don't store your password. They store a hash of your password. It's not quite encryption, but your password itself never should be sent in the clear over the web. The javascript on the client-side usually generates a hash based on the text you type in, then the website checks the hash against the database. Ironically, if you get the hashes in the database, it's just about as good as having the password in plain text. It takes a little knowhow on what to do with it at this point, but it's really not rocket science by any means.
Please, don't blame the admins. Don't blame Anand. Don't blame Derek. It's not their fault that vBulletin is an enormously popular forum engine which makes it a prime target for hacking into (think Internet Explorer for example, or Windows as opposed to *nix).
These guys are doing what they can. In the mean time, you have to treat this as any other security breach on any other site you may use. Frankly, it's no different than your bank getting hacked. The only difference here is that Anand doesn't have the payroll employ a security team to safeguard each and every one of your trivial PMs and posts. And to be honest, this is a social technical forum. If you're worried that your password is hacked and going to steal your bank account information or emails, well then you've got bigger problems than the forums being hacked.