No SSL/TLS?
How, exactly, did they get credentials from SSL sessions? Did they use a 0-day exploit in SSL to perform a MitM attack of some sort?
Or is all this only talking about services that don't use SSL (or lifting credentials from one of those, then seeing if the password is reused on something more important)?
The point being that SSL is designed to keep the communication secure across a hostile network. For all intents and purposes, the internet, wireless or wired, is considered to be a hostile network. Unencrypted WiFi isn't really different in terms of it's security profile than making the same connection over a wired netwok.