Regarding 2), I think it would be fair to say that the compromised site was in fact the one that did not use OpenID and instead stored passwords poorly. Once compromised, it exposed user credentials which could then be used elsewhere. Had they used OpenID, this would not have happened.