edit: Speculation superseded by MT's post after this.

Agreed. If brute forcing this password was the attack vector then someone has access to the MtGox hashes incl. salt or is able to perform an enormous amounts of live tries towards the API.

(J. has stated the pw only ever existed at MtGox, wasn't reused etc etc)