The specific set of data doesn't make sense either. If they were able to retrieve password hashes then I'd expect they'd have all of the user fields, which they're not claiming to have.

If the threat actor wishes to prove the veracity of their claim, they should post a sample of the actual data.