At the very least it sounds like you can get the password of many users (MD5 isn't exactly secure) and if they're sharing passwords then that's bad for them. You can also gain admin access and mess around with the site practically undetected for an indefinite amount of time.