Security is fungible. You're applying some subjective standard that divides what constitutes a hack and what doesn't. If I had to guess, you wouldn't treat a buffer overflow where some code was executed the same way. This is arbitrary.
Considering a dropbox employee, corporate information, and internal security practices are on the line here: I think the author made the fair, ethical call.
I would think that if the attacker had access to a Dropbox employee's account, which in turn gave him/her access to user accounts, that would constitute a security breach.
That’s not really a response, is it? User account data could be accessed – because Dropbox was unable to protect your data. That’s not quite as awful a access to user account but it’s still awful.
Considering a dropbox employee, corporate information, and internal security practices are on the line here: I think the author made the fair, ethical call.