My personal stance on this:
Companies are going to get hacked; that's just the way it is. While there are clearly security lapses visible in the data, that's no different from any other company. Maybe it was hacktivism, maybe it was a disgruntled customer, maybe it was just someone who thought it was fun--it doesn't really matter.
Epik is going to be facing a lot of criticism in the coming days, both for falling victim to an attack and for issues with the data that has been leaked. There are going to be more eyeballs on their security practices than they could ever hope to have otherwise. Keep that in mind when you're reading about how they failed to secure X or didn't follow best practice Y.
That being said, some of the mistakes here do appear egregious, and I would hope that a company of their importance would learn their lesson and hire security professionals in the future.
That's what I'm seeing, but I can't easily verify the passwords + hashes themselves haven't been tampered with--although, based on the rest of the dataset, I have no reason to doubt their authenticity.
It's quite possible that the plaintext passwords are intended for outbound authentication--that is, authenticating to third-party services. In that case, they would need to be plaintext, or at least use reversible encryption (as opposed to hashing, which is one-way).