Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
In other words, for almost four hours anyone could have logged into any Dropbox account with any password. Maybe I am overreacting but I don’t have any patience for cloud-based service security issues like these. I’ve deactivated both of my Dropbox accounts. And that means I’ve deleted PlainText from my iPhone; I will be using Pages instead. I hope iCloud is drop-dead robust.