Have weaknesses in SHA-1 and MD5 ever actually been successfully used in an attack?

I'm not aware of any publicly known attack using collision in SHA-1, but MD5 collisions were probably used already 2010 within attacks. In 2012 it was discovered that a malware from the Flame attack had a valid signature from Microsoft, which was possible due to a MD5 collision attack. See http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx for more details.

As for using MD5 or SHA-1 with passwords: Simple hash some trivial password with MD5 or SHA-1 and then look up the hash with google. Example:

 password:   "secret"
 md5 (hex):  "5ebe2294ecd0e0f08eab7690d2a6ee69"
 sha1 (hex): "e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4"

The first hit on google for the MD5 hash presents you with the password, as does the first hit when searching for the SHA1 hash. Thus typical passwords can easily be detected as long as the hash is not salted.

Apart from that, even SHA-256 is a bad choice for passwords. These kind of hash algorithms are designed to be fast which only makes brute-forcing passwords easier. For more details about this topic see How secure are sha256 + salt hashes for password storage.

MD5, in particular, is now considered cracked for a very good reason:

The MD5 hash collision attack that hijacked the Windows Update system back in 2012 was replicated with just 65 US cents worth of cloud computing fees

It took about 10 hour of CPU time to do the attack. This particular attack used a chosen prefix attack, which means you could format your data to prevent the attack from working, but the mere fact that this could be done declares that the security of your hashing is no longer found in the hashing algorithm, but in the data format you are hashing (which is a very poor place to put your security guarantees).