I just sold a Mac Mini, and I erased/formatted the hard drive before I turned it over, but I didn't wipe it securely (not wise, I know). How would a criminal take advantage of this fact? What is the probability of any of my sensitive files (passwords) being compromised after the buyer reinstalls the operating system?
This computer was not used for a lot, but I did use it to work from home and it may contain passwords for work-related things.
My suggestion would be to change your work (and possibly other) passwords, just to be on the safe side.
It is quite easy to retrieve data, even after a format, with the proper tools. A quick Google search on "data recovery tools" reveal that a lot of (paid) tools are available to recovery data.
In my personal experience it was possible to retrieve data from a machine that was formatted during a new Windows installation. Even after the OS was re-installed I was able to get back all of the "lost" data.
Although the likelihood of someone doing this is low, you shouldn't take any chances on your passwords. At this point I do consider them compromised.
How would a criminal take advantage of this fact?
Assuming that the criminal wants to recover data from your old machine they will likely remove the hard drive and connect it to another system which can read it directly.
If it was encrypted (I assume not?) they will probably realise this pretty quickly and they'll abandon the exercise and sell the machine on.
If not encrypted data recovery tools can be used and probably get just about everything that was on the drive, including stuff that you may have deleted a long time ago. The result is broadly equivalent to someone having access to your machine if you leave it logged in and unattended.
If they are after something specific and have some technical knowledge (i.e. they know how to do what the data recovery tools are automating) they could target specific 'patterns' on the disk, which will enable them to focus on what they are after and only recover what is 'important'...if they can find it. This has the potential to recover far more information because it is not constrained by the limitations of file recovery software and can find information in corrupted or partially overwritten files.
What is the probability of any of my sensitive files (passwords) being compromised
There are people around, including criminals, who will specifically go after secondhand machines to recover data from them, though not necessarily for nefarious reasons, for example many years go I used to buy old hard drives when learning evidence collection and data recovery techniques. It is unlikely that you have sold your old machine to someone like that, but it is possible.
If the disk was encrypted - low probability.
If the disk was not encrypted:
I suspect, though I have no evidence to back this up, that credentials stored in keychain will not be vulnerable without a brute force attack or knowledge of your login password.
If it was encrypted it should be fine (assuming strong encryption algorithm and strong password).
If not an attacker that has purchased your computer might be able to retrieve files containing session cookies or authentication tickets for sites and services you were logged into.
If you are concerned then reset your password on all sites, and terminate all other open sessions for sites and services that support this (e.g. Google, Facebook and Dropbox allow expiration of sessions on other devices).
PhotoRec is a tool that can be used to recover "accidentally" deleted photos and files. This tool can also be used to recover data after a drive was reformatted. A malicious buyer could use this tool to recover your old files.
In a defensive tactic, you could use the tool on your own future machine prior to selling it, in order to determine which files could be recovered.