However, I am almost convinced that Baron is indeed a scammer.
Playing a bit of judge here and speaking for myself, I would say both stories have holes with the "tendency to believe" in mtgox's part.
Nevertheless this is an expensive lesson to mtgox - if nor in money, is a blow on his reputation, rounds the same on this community -, he've to secure his site better.
A piece of invisible code like this:
Add to main files right after session_start() except the path that leads to login:
if(isset($_SESSION['canLogin'])) $_SESSION['canLogin'] = 0;
Add to login file:
$_SESSION['canLogin'] = 1;
Add to login function:
if(!isset($_SESSION['canLogin']) || $_SESSION['canLogin'] != 1) die("Invalid login attempt!");
This is a very basic security for "widely available brute forcers", they don't process whole headers, so they create a new session on each attempt. Not having a session var that just exists near the login form would prevent the attacker from use them.
You can add more features like count per IP attempts and block access from that IP for several hours. Add a captcha...
They're many ways to circumvent dictionary attacks.