Email addresses (and usernames themselves for that matter) are really no different from very weak passwords: short, predictable, low-entropy, human generated strings. And of course the domain names are also extremely predictable (you'll have some one-off domains here and there, but all the major domains are well-known and publicly available.) The cracking approach is pretty simple: list of domains in one wordlist, regular password wordlists in another wordlist, run combinator attack.
I've encountered lots (millions?) of MD5'd emails in the past and have not really had any difficulty cracking them (85-90% success rate?) See Gravatar, for instance. Really easy to get someone's email address from their Gravatar hash.
Better way to do it would be to treat the emails just like passwords, and as such, you'd use a proper password hashing algorithm like bcrypt or something.
I've encountered lots (millions?) of MD5'd emails in the past and have not really had any difficulty cracking them (85-90% success rate?) See Gravatar, for instance. Really easy to get someone's email address from their Gravatar hash.
Better way to do it would be to treat the emails just like passwords, and as such, you'd use a proper password hashing algorithm like bcrypt or something.