Earlier today, a thread surfaced on Reddit offering up 400 Dropbox usernames and passwords in plain text, with a note that over seven million accounts have been compromised in total. Dropbox has since announced on its blog that it wasn't hacked, and that the leaked passwords were stolen from a third party service.
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
The leak that was posted on Reddit contained hundreds of accounts with email addresses beginning with the letter "b". Dropbox is sending out password reset instructions to affected users, but as a precaution, it is advised that all users change their passwords on the service. While you're at it, go ahead and enable two-factor authentication as an added layer of security.