SO you think its probably down to either malware or phising?
I'm not ruling it out but I'd be surprised if it was either.
I don't think anyone is saying none of the entries could have come from cracking. Your mentioned 8 character password could easily have been the result of cracking, especially if it had any dictionary word as part of it.
The two things we can say for (pretty darn) sure:
- Whatever cracking was done wasn't applied equally, perhaps they only focused on some entries
- Some of the results are very, very unlikely to have come from cracking
For the ones that fit in the latter category, malware and phishing aren't the only possible answers, though they are probably the most likely. Other possibilities could be password reuse: if the person who published the cracked list ran another bitcoin site that he had set up to log all the passwords in the clear, he could have tried all of them against the hashes to start out. Or, the publisher could be the mt. gox hacker or another person who gained more access to mt. gox than we've been lead to believe - there are a number of ways you could capture the password before it's hashed as someone logged in. Either by changing the site software, modifying the dns/stealing the site certificate, or simply just pulling off a XSS attack that presented a bogus idled out/login page.
There are surely more possibilities than that, they just become even less likely. The only thing you can be (pretty) sure of is it's not hash cracking.