Just to answer some of the worries about the password hash included in the file:
1) It's true that md5 has been compromised, and that exploits have been found to generate hash collisions for modified certificates and files where the certificate/file content is already known. However, this *cannot* be used to crack an unknown password more easily. Brute force is realistically the only way.
2) The passwords are salted before hashing, and each password has an individual salt which is stored with the hash. @mbraun is incorrect in saying this makes security weaker; in fact it makes it stronger. To quickly cover this for those who don't know, a "salt" is a small chunk of data that is added to the start of your password before it is hashed; this prevents "rainbow tables", or lists of precomputed hashes, from being used to very easily look up passwords from a hash. Salting all the passwords for a system means that standard rainbow tables can't be used; however, if a single salt is used, once that's known then attackers can regenerate their rainbow tables using the same salt and brute-force all the passwords in one go. Having an individual salt for each password (which does then have to be stored with each password, so it can be used!) is much safer: it means attackers must brute-force each password individually.
You can criticise MtGox a lot for having a system that could be broken into, but their password hashing is better than much of what's out there. I'm not saying it couldn't be improved (a stronger hashing scheme with many rounds to make brute-forcing even slower would be better), but the attackers are going to have to break each password separately so that non-trivial passwords will take a significant time to break.