First, the good news: the scale of the attack affected “fewer than a hundred accounts” out of Dropbox’s 25 million total users. But according to the letter, those accounts were all accessed by a single individual. In other words, these weren’t accidental logins due to typos — someone discovered the hole and actively used it to access files that were not theirs. That’s obviously very alarming.
TechCrunch also has a supposed email that Dropbox is sending the affected users. It’s nice that the CEO is willing to call these users and that they set up free credit monitoring — still this should not have happened.
What’s more alarming is that someone actually purposefully started accessing other user accounts, I just don’t buy that Dropbox “knows” exactly how many accounts were accessed.