Bit_Happy: PM sent. I'm 99% certain it's legit.
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
Exactly. When you see a DB leak for a site you're a member of,
you don't sit around wondering how strong the hashing mechanism is you start changing your passwords. If you only used the password on MtGox, oh well you don't really have anything to do right now. If you reused the same password anywhere else, stop thinking about how strong the hash is and change your freakin' password - the effort required for the latter is much less than the former and then it's done... from your perspective the information that's leaked is no longer valid. Whether it takes 2 minutes or 2 years to crack your password is irrelevant if you've already changed it someplace else.
Password hashing isn't meant so that a bunch of fools can sit and think "I'm safe" - it's to buy you time between when the credentials are taken, and when they're useful... to give you a chance to make them not useful.