Dropbox does have an API, https://www.dropbox.com/developers but this is about reverse engineering the client which seems to use things not here -- in particular, some authentication stuff. I haven't read in depth about why that allowed them to bypass 2-factor auth though.
> We found that two-factor authentication (as used by Dropbox) only protects against unauthorized access to the Dropbox’s website. The Dropbox internal client API does not support or use two-factor authentication!