"I can fully understand taking down the website as a reaction to this, but surely the best form of action would have been to post some sort warning notice to visitors along with the instructions of using MD5 or SHA. Anyone can come up with a basic web page the apologizes for the downtime and warns people of the fake download."
Because the WEBSITE was hacked. TWICE IIRC. Meaning ANY notice you put up would be promptly removed. In fact, you may end up tipping the hackers to post THEIR OWN instructions on using MD5HASH and so on...only with all the hashes replaced with THEIRS.