Not sure their what their heuristics are for narrowing the search space, but there certainly are some good ones. For instance, early versions of blockchain.info's wallet generated private keys by reading an ARC4 stream that had been seeded with Math.random() calls xor'd with timestamps. Quite the circus!
I believe there was a time when blockchain.info's Android wallet generated keys from Apache's 301 redirect HTML fetched over HTTP[1].
I think there's also a lesson about idiot-proofing APIs. With the benefit of this in hindsight, I might instead return an invalid, non-HTTP response that blows up every major HTTP client internally, so that it's impossible for the API consumer code to happily truck along interpreting a non-200 response body as if it's valid random data.
There is no practical way of finding a collision for a specific key. Finding collisions to one of the created keys non-specifically is a much smaller search space.
