There's a difference - he's not selling the leaked passwords. He's selling the information that a password has been leaked for a certain account. You can't buy stolen passwords from the site, so it's perfectly legal.
I don't think it is that clear -- he is selling access to a data set containing PII (email address or account names). Its stolen data. One can make a case that free and open access to this data set is a common good, however once money is involved, one is conducting business with data that one did not legally obtain. It is not 'perfectly legal'.
