Actually my account's password there was hashed with md5 salted crypt algorithm ($3$salt$hash)...
They did mention that it was older accounts that were affected. i.e. they realized the security weakness and changed the hash algo/procedure before you sign up or last changed your password. That was one of the other mistakes, having discovered this weakness and implemented a better system, they failed to notify potentially vulnerable users to update their password to force a new hash. In some projects, once a breach appears probable, they notify and force everybody to change their passwords to be safe. An organisation dealing with money should be even more paranoid
Quote
which makes me believe also, someone had that db for quite a while. The added difficulty would represent one thing; the attack may not happen when it happened, but somewhere in the future... thus the attack would come to place either way.
Possible but based on available information, the somebody may only had the mtgox data for a few days prior to the scam. In any case, it is ALSO assumed that given sufficient time, any hash can be broken due to cryptographic advances or computational advances. Which is why there is the recommendation for users to change their passwords at least once every now and then. Once a year should be relatively safe since most hash algo are chosen to take at least years to break and an annual change is not particularly inconvenient for users as well.