A hacker already knows the victims credentials for Dropbox account that has two-factor authentication enabled, is able to hack it. The flaw is related to the lack of verification of authenticity of the email addresses used to sign up a new DropBox account. A hacker could conduct the attack creating a new fake account similar to the target one and append a dot (.) anywhere in the email address. The attacker then logout from the fake account and log into the Dropbox victim’s account, which has 2FA enabled, with the real credentials.”]
Source: http://securityaffairs.co/wordpress/15944/hacking/dropbox-account-hacking.html