A data breach of 1,500 sites that did not implement HTTPS has surfaced. The leaked information includes emails and passwords in plain text. More than 2 GB of .txt files containing user credidentials were freely available on http://www.pxahb.xyz . The breach has probably occured in December 2017, judging by the files' date of creation. I can't provide you with the full list of affected websites, but there are no "big ones" amongst them(e.g. Google, Yahoo, Amazon, etc.) as they all implement HTTPS correctly.
The website has been taken down, but I found some url reports that contain screenshots:
Report 1
Report 2
There is no information about the breach in mainstream media, the only coverage that I could find is a YouTube video from the (fairly) popular Linux youtuber Quidsup. He is a reliable source when it comes to computer security/privacy and related topics(btw he works as a malware analyst). I will try to update the topic if any new information appears.
However, the leaked data still shows that people are not very creative when it comes to passwords, phrases like "123456" and "password" are common. But the ones to blame are the people who maintain those websites. Having a login page on your website in 2018 and not having HTTPS enabled is a complete suicide - sniffing HTTP traffic can be done by anyone skilful enough to power on a computer. SSL certificates are not expensive to obtain, and certificate authorities such as Let's Encrypt give them out for free. There is literally no excuse for not having HTTPS on your website.
Update: Thanks to Google's cache we have part of the list of affected websites: https://webcache.googleusercontent.com/search?q=cache:lITAZhUWlk4J:pxahb.xyz/emailpass/+&cd=2&hl=en&ct=clnk&gl=en