Cost factor of 12000 seems solid to me (depends on the hardware they're running on but I'd say brute forcing your way through that would be pretty impossible)
A PBKDF2 cost factor/iteration count of 12000 and 32-byte output means each candidate passphrase costs 12002 SHA256 blocks.
I can buy a crappy bitcoin miner which will do 2GH/s for about USD19.
Let's say we're going to use the Gawker leak as our dictionary. That's ~200,000 candidate passwords.
For a given user, I can therefore find their password (if it exists in the Gawker set) in 12002 * 200000 = 2.4GH SHA256 applications. That will take 1.2 seconds.
So for all 125 million eBay users, that's about 4 years. This work is trivially parallelisable, so buying more or faster hardware is brutally effective.
Note: there is obviously, and hopefully, a non-negligible probability that a user's password isn't in that set. Brute force of (say) the whole 8 printable-ASCII character password space would take longer but would be guaranteed to find to find about 50% (from Adobe leak) of user's passwords.
cipher/hash: pbkdf2_sha256
cost factor: 12000
salt: zhMKabMgayvK
hash: iniviUCcX9y2PYJcm0AoB3MhybRA1z2Cec1DZnLWxWc=
This exact technique (pretty much) is described here: http://exyr.org/2011/hashing-passwords/. It's a decent, secure way to hash passwords.
Cost factor of 12000 seems solid to me (depends on the hardware they're running on but I'd say brute forcing your way through that would be pretty impossible)