...It just doesn't look legit to me. ...
It's likely 99.9% bullshit. Apparently those emails/passwords are invalid (didn't check that myself though).
Some of them apparently work and ask for 2FA -- but a good hoaxer
would include real accounts on the list. Some of the accounts show up on Haveibeenpwned, so they may have just pulled from old leaks. The fact that there's a typo on the list ("gmai.com") suggests it wasn't dumped from Poloniex's database. It could have been scraped from a phishing site, but it doesn't look like a legit hack.
If he was legit, he would contact Polo directly for ransom/bounty demand, then Polo would have no choice but to take immediate actions like sending mass emails asking everyone to change their passwords.
I reckon it's either a troll, or he just wants to hype it up to get people to click or download whatever he'll post tomorrow, which could be a malware.
Looks like an FUD attempt to me.