They *already* do this, not because they're scanning things, but because they index files on their hashes in the first place.
Remember "Dropship"? If you knew the hash of a file on Dropbox, you could "teleport" it into your Dropbox storage by using the API to tell Dropbox that you had a file with that hash locally. Since it got used for file-sharing, that was shut down - but it reveals that for de-duping purposes, Dropbox hashes all your files anyway.
It's a trivial matter to take that file, hash it, do a lookup in the table of files that belong to each user, and produce a list of the accounts. It's probably already been done for copyright-infringement suits.
No bulk scanning required. Just a lookup.