Essentially any brute force client (GPU, CPU, whatever) will run billions of iterations of this:

1. Generate string
2. Grab salt (usually part of the input, at least in the case of the FreeBSD MD5 that Mt.Gox used)
3. Run crypt(string, salt), which in the FreeBSD implementation actually hashes about 1000 times
4. Check if output is expected output.
5. Repeat the above.

The nice thing about the salted FreeBSD-style MD5 is that it is pretty computationally expensive to run.  High-end GPU setups only manage about 3 MH/S, and CPUs about 12 KH/S per thread (I managed 48KH/s on an overclocked i5 750).  This slows down potential crackers considerably.   At 48KH/s, you can expect an 8-char password containing all possible characters (num, letters, specials) to take some 2.93*10^12 years.  On a GPU it is orders of magnitude better but still on the order of years.

It is very likely that the major account that was hacked was only compromised because it had its password encrypted using the old DES encryption Mt.Gox used to use until 2 months ago.  If that password was retrieved at any point and not changed it would be easily used to wreak havoc.