Or combine with another service which uses MD5 hashes differently. You used to be able to copy a Gravatar hash into a Disqus url and see the email address, if that person had ever made any Disqus comments on any blog anywhere using their email address.

No brute-force necessary.