Its a possibility  . You can also patch their code by replacing the HashWord function with SHA256 provided by Crypto-JS. There would be no hash collisions then. Just to give an idea on the difficulty, it took about <10 seconds to solve all addresses via a Java program running on a CPU.

Edit:
I bruteforced all possible hash collisions with hash 35431 over characters 48-123 (0-9, alphabet, + some extra) and none of them appear to be valid private keys. Are you sure its updated?