Password are encrypted one way (+salt). Someone cannot be selling "user + pass" unless he has some way to revert this.
In one expression: FUD
Well, to be fair, if you have the hashed values, it takes very little effort to bruteforce a large number of passwords. Especially if you use tables.
Your statement makes me nervous about the state of overall security at mtgox....relying on hashed passwords was a failing paradigm over a decade ago.