It might be a good idea for large companies like Dropbox--or frankly, anyone storing email addresses--to include a handful of (long, random, unguessable) canary addresses in their user DB which sound a high alarm if they ever receive email.
Just two wild guesses from my side, as I don't think that the whole database got compromised:<p>1. Some Accounts got compromised (phishing, trojan, whatever). In those account a list of all referral email-addresses can be seen. Those addresses have been targeted.<p>2. The Dropbox Application stores information about the email-addresses of people you have a shared folder with somewhere on your machine. This data got accessed by some kind of malware. Maybe this information could also be accessed trough the webinterface of compromised accounts (I am not sure about that).<p>Even a small-ish number of compromised accounts could lead to many addresses being leaked. I for example have about 15 referals and share folders with about 50 people.
It's not certain that these leaks were FROM Dropbox. These might well be but there is no confirmation of this. This was discussed here a few days ago.<p><a href="http://news.ycombinator.com/item?id=4255927" rel="nofollow">http://news.ycombinator.com/item?id=4255927</a>