I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see
http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set.
The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s).
$1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognizable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.
You learn something new every day.
So, the $1$salt$ part is the salt, and it is computed (roughly) by salt + password = hash, then hash + salt + password = hash 2, and so on, repeating 1000 times, and the result is then encoded into a unix DES hash? Doesn't sound too safe, since the salt is known, but I guess it means that bruteforcing takes, theoretically, 1000 times longer. This should knock off 2-3 letters from the length of password that is still viable to bruteforce. But it's true that even if someone cracks just 1 account with a weak password, they can get a killing.
The irony is, if someone has the processing power to bruteforce the majority of these passwords, they could already get money just by mining bitcoins.
. Guess they tried to login using the password from mtgox.
