"We learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."
that's a shitty thing to do imo. they first lure their users into a false sense of security with "This is purely a preventative measure (...)" and only provide an explanation if you go through the linked article.
they screwed up. yes, it was 4 years ago but they did. they should acknowledge it in the most simple manner.
"We learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."