Somewhere, I made calculations on this, but the gist is that it's many multitudes more likely for someone running one slow program to correctly guess the name, ID#, and CW2 of a credit card with an active LoC than it is for hundreds of botnets of hundreds of thousands of computers all running hyper-efficient software generating addresses to find a funded address.
Like Burt says, it's basically impossible for an incidental collision, and it's also basically impossible to intentionally find a used or funded BTC address. -But to answer your question, they'd be able to spend and send bitcoin in/to the address just like you.
ETA:
Here are the chances:
Assuming 500K addresses which either have funds or will have funds within next three months,
0.0000000000000000000000000000000000000000034211388289180104270598866779539% chance per check.
Assuming average computer can do 250 optimized DSV-like checks per second,
0.00000000000000000000000000000000000000085528470722950260676497166948848% chance per second.
Assuming a "theft pool" is formed, and 500 of these computers averaging the above click/s,
0.00000000000000000000000000000000000042764235361475130338248583474424% chance per second.
Assuming each theft pool is one botnet, and 20 botnets, exactly the same, exist in these theft pools,
0.0000000000000000000000000000000000085528470722950260676497166948848% chance per second.
Per minute,
0.00000000000000000000000000000000051317082433770156405898300169309%
Per hour,
0.000000000000000000000000000000030790249460262093843538980101585%
Per day,
0.00000000000000000000000000000073896598704629025224493552243804%
Per month (30D),
0.000000000000000000000000000022168979611388707567348065673141%
Per year,
0.00000000000000000000000000026972258527189594206940146568988%
Assume worst-case scenario, DSV-like software can check 5000 addresses (10M of which are funded or will be funded within 6 months) per second, and 100 botnets of 50,000 computers each...
Per day,
0.000000000000000000000000014779319740925805044898710448761%
Per month,
0.00000000000000000000000044337959222777415134696131346283%
Per year,
0.0000000000000000000000053944517054379188413880293137978%
Per century,
0.00000000000000000000053944517054379188413880293137978%
Are we done, now?
ETA: Worse-than-worst case scenario. NSA can check 1T addresses per second, 1T addresses are funded.
Per century,
0.0000000000000021577806821751675365552117255191%
Per billion centuries,
0.0000021577806821751675365552117255191%
for credit card:
What is the probability (per check) of finding a valid, activated credit card number and selecting the correct CVV, cardholder's name, and expiration date, assuming the expiration date is not beyond five years into the future?
Maybe just for a US Capital One MasterCard credit card, to keep things simple. Uses MOD 10 algorithm.
http://en.wikipedia.org/wiki/Mod_10 The first six digits of these cards are 517805. Digits 7-15 are unknown - the account ID #. Digit 16 is the MOD 10 checksum number.
This means there is a total pool of 99,999,999 accounts. Assume 10,000,000 are activated.
Expiration date is simple. Most (all?) aren't valid for more than 5 years. That gives a 1/60 chance of getting only the expiration date correct per check.
Cardholder's name is more of a clusterfuck. Let's assume only looking at "black" and "white" names (we're looking for a US account, remember) gives you 85% of all total active accounts. Let's assume common names make up 60% of all total active accounts, and that there are 50,000 common name combinations.
CVV is easy, and we'll assume we don't know how Capital One comes up with these numbers, so it's a simple 1/999 chance.
So. We need to successfully correct all of them in one go, and we have one ~1/10 chance (account #), one 1/60 chance (exp. date), one ~1/83333 chance (cardholder name), one 1/999 chance (CVV).
I think the per-check probability of all this comes to .000000000020020100300621424707921073926538% (low confidence, someone smart should check this because I originally posted this post as a question but ended up giving enough data where I thought I could solve it).
Keep in mind, per-check chance of finding funded bitcoin address is ~0.0000000000000000000000000000000000000000034211388289180104270598866779539%.
To make the numbers a little easier to grasp, here is %chance of finding bitcoin address if "DSV-like software can check 5000 addresses (10M of which are funded or will be funded within 6 months) per second, and 100 botnets of 50,000 computers each":
Per century,
0.00000000000000000000053944517054379188413880293137978%
If 100 botnets of 50,000 computers could check only 1,000 addresses per second (5x slower than above stats for bitcoin), the chance of correctly guessing info on an activated credit card is:
Per century,
10.01005015031071235396%
ETA: I left out PIN number. Point still stands.