Re: "Internal cybersecurity audits..."
I suspect it went something like this:
1) obtain the password hashes (and salts) of say, 10,000 passwords
2) using a common passwords dictionary (easily available from previous research), hash each of those passwords, using their salts, starting with the most commonly used password in your dictionary (e.g. Password123). First pass - 10,000 hashes. If this finds, e.g. 23 matches, then the second entry in the dictionary needs only 9,977 hashes.
3) Once you have eliminated the passwords in the common passwords dictionary, you will have a smaller number of passwords left to crack, e.g. 4,576 of them. You then move onto using a larger dictionary, and making common substitutions, e.g. 1 or ! for i, etc., adding numbers and characters on the end, etc. (e.g. L3monade.1) This is slower, but will get most of the remaining passwords. Each one you crack means fewer hashes for the next dictionary entry.
4) Once you have eliminated all the passwords based on single words, move onto two words, then three, etc. separated by various punctuation, numbers, etc.
5) You will now have a small number of passwords left that are not based on dictionary words (probably in the double digits). If you are still interested in cracking these, then start with the minimum password length (e.g. 8 characters), and run through all the letter/number/character combinations that you haven't previously checked. Each of these you will only have to hash a much smaller number of times.
Eventually, you can crack all of the passwords in the file, salted or not. It is simply a matter if applying enough computing power to it. If you're a researcher, you probably have access to a decent number of processor cycles to do this. If you are a hacker, you are probably using someone else's anyway. A good way to find some for free is to go and check various git repositories for people's AWS keys...