And what about the users who had their accounts compromised in the past few weeks or so?
Many were trolls who lied, IMO.
A password hash does not allow you to login. The mysterious big account might have had a virus/key-logger on his PC.
Actually it does if SQLI attack were possible (which apparently it is at mtgox). All the server want is compare the password hash with the one it had in the db. If you bypass the login box and provide the server with the hash directly thru SQLI attack, the mtgox server would allow you to login.