If you see the OP, the woman behind the lawsuit seems angry that she had to find out about it in the news rather than with Dropbox informing her. That is a serious mistake and one that Dropbox should take heat for. Bugs happen but not communicating to users was a deliberate move.
She was not mailed because there was no access to her account or did I read it wrong that everyone whose account was accessed was mailed?
What should they have told her? "Someone could have accessed your account in the last few hours due to a bug, but that didn't happen. Nothing to worry about!"
I completely agree. Dropbox made a huge mistake. Dropbox is run by humans, and humans make mistakes, that's life. But when it came to communicate the issue they screwed up IMHO. I shouldn't need to subscribe to their blog RSS to know this kind of stuff.
They should have mailed everyone, encouraging users to change their passwords right away while they investigated the issue.
I see the run by humans argument a lot, but what you need to keep in mind is that a company is NOT a human. No one's suing the individual employees here, but a company. There is a massive difference.
By their nature companies are entirely selfish (especially companies with outside investment) and unless you're going to hold the humans within a company individually responsible for a companies douchebaggery then by the same logic you also shouldn't give the company a break because it's run by humans.
The important thing about this bug is that it allowed log-ins without passwords. No passwords were compromised. Therefor, asking users to change their passwords would have been FUD, as well as making it more difficult to identify which users were affected by the person exploiting the bug (if almost every user logs in during 4 hours, you're going to have a lot of trouble identifying the <100 accounts who were accessed by the attacker).
