Here we have a mtgox user who got owned due to a process on mtgox that made it easy for the attacker
to do so via a password reset while having access to the user's email account.
It strikes me as very beneficial for mtgox to close this hole.
The "hole" happens to be standard security procedure for every site on the internet... even banks.
If you lose control of it there is nothing a site can reasonably be expected to do.
I just checked my bank's website and that is not the case for me.
You need to know the user name as well as your account number which I cannot recall ever seeing it in an email from them.
If you forgot your user name you need a debit card number, debit card pin, and the account number.
My point is that my bank made it harder then just knowing a user name and the email is sent containing enough information
to reset the password via a web page.
The process you mention above is perfectly fine for a forum like this one.
But I am not trying to be argumentative. All I am saying is here is one way for MTGOX to improve their security for a website
that is going to be attacked on a daily basis using every method known to hackers.