[ddrager]

What about the possibility that end-users' computers are breached?

- User/pass is saved in the 'Remembered password' area of browser (this is decodable by malware) - Email is screen-scraped by malware - Email is sniffed during login at a wifi hotspot (Password is encrypted, user/email may not be) - 3rd party apps that are linked to your dropbox account

I'm not saying that this wasn't caused by the database breach, but there are a TON of reasons that this could have happened. Some on Dropbox, some on the end users.

Don't expect your email address to stay private. That's what passwords are for.

[danielweber]

Yeah, it's tough to really know who leaked. Alice and Bob both know secret S, and each can blame the other if S is leaked, but neither of them really knows who did it.

There have been some research projects where unique and unguessable passwords were made in laboratory conditions and securely given to sites to see if they managed to leak. I trust those a lot more because they often lock up the email addresses and never use them. From what I recall some big companies did give out addresses they promised not to, but that's not a blanket condemnation of all businesses.

[fnordfnordfnord]

Yeah, but if that happened to a person who habitually used sub-addressing it would be pretty obvious. They would likely have received the same spam many times from many of their sub-addressed emails. People who take the trouble to set this up, don't use it in only one place.