The problem is that in the Dropbox company it was fine to just make a drop box account with some password that you reuse elsewhere. That is the fundamental problem. They don't have their employees use KeePass, or 1Password or something similar and generate random passwords that they change routinely, or any of these other security practices that would have prevented this attack without the two factor authentication. Dropbox is a huge target and does not have the expertise to play in that league (evidenced by the fact that they needed outside help to figure out this attack). I think the two factor authentication is a good thing, but if they think "OK, problem solved" then it is not helping them. There is no replacement for good security practices, especially in a company with such a high profile.

Although I fundamentally agree that the underlying issue is their security practices (or lack thereof), this does address the specific recent hack (of an employee of theirs reusing the same password on Dropbox as on another account with another company that was compromised), and is a good idea regardless. I wish more sites did it.

You can get all the info on recovery.org for free. You would think the government could redirect their DNS name for a lot less $18 million. I'd do it for $18 for them.