> That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved.

If I'm interpreting the hashcat screenshot correctly (I'm probably not, and even if I am it's probably skewed by init overhead or by not counting the final result) it looks like passwords can be attacked at ~6ms/dictionary attempt against the bcrypt passwords? While HIBP didn't get their hands on salts for the SHA1s, that doesn't mean they weren't breached as well.

I take it as a given that all high value dropbox accounts with a weak password in this breach will be pwnt.

Then again, it took until last week for anyone to try and grab my Minecraft account (successful email change, but successful resecure.) Given that HIBP knew about 1 of the 4 breaches I'm aware of for similarly weak passwords, I'm surprised it took this long... (I've since finally gotten off my ass and better secured all the legacy old terribly passworded accounts I can think of / were listed in my password database...)

I think the risk is a lot higher than described by this post or dropbox. There are nearly 70 million credentials, and email addresses actually contain a fair amount of heuristic information for an attacker. For example just filter down to addresses from hotmail or yahoo, and suddenly you have a list of credentials that are far more likely to be susceptible to a dictionary attack.