The MD5 passwords are not the issue here. The main issue is that the hacker logged in with the admin credentials.

Ofcourse the passwords should be encrypted but what about all the other data?

So the question is: should we store all data encrypted? Because it's not if, but when will the data get exposed.