I would assume rarely does someone steal site's like this' user databases for info found on that particular site or to log in as them. It is because for so, so many people (as mentioned above) - they use the same password multiple places. A big problem in particular - the odds that many people use their AF password on the email account they have associated with their account here. Or use that email and password for, say, paypal. Or have a paypal account and reference it in posts - and now you have their email address (account name) for Paypal. That's half the battle to get in.
Breaches like this don't typically give away passwords, only the hashed values, but in some cases rainbow tables can be used to resolve the easier, less complex passwords. (Assume with 1 million users, of the ones with paypal accounts that use the same email address as here - some percent, even just 1 percent, have a simple password that can be resolved.). Salted passwords, which are used here, make that extremely difficult. A good read on that, well, you can find a good read on that many places, it's a well known and highly used method these days, but a quick search pulls this up:
http://security.stackexchange.com/questions/17421/how-to-store-salt ..the top answer is good.
Also, just having a database of over a million email addresses - tens or hundreds of thousands that can be shown by looking at other info (like post count) to likely not be burner of fake (for spam accounts for example).... there is value in lists of email addresses.
There's more value in lists of email addresses from a known location. Imagine sending 100k emails out saying "hey $user, it's androidforums! We're doing some audit, please click here and log in to prove you still want to keep your account otherwise we'll delete it".
(We'd never send that out, and it'd likely be fairly easy to spot that it is a fake email, but what if 1% fell for it. Then they WOULD have the plain text password that goes with 1000 emails and usernames. You see where I'm going with this..)
Sometimes it can be to tarnish reputations.
Sometimes it's boredom.
I'll bet there are instances where the supposed reason is to help make the internet a better place - forcing sites to cross their t's, dot their i's, and be more careful about patching published (or not) vulnerabilities and better protect their information. Or because members deserve to be exposed for being members. Blackmail, public shaming. (Ashley Madison).
Anyway. There are many reasons. None of which are good.