The blog post mentions that they ended all logged in sessions, but did they also rollback any new sync settings set from the start of the incident to when they did their cleanup? eg:
User Joe's account is logged into by attacker Tom. Tom sets his computer as one of Joe's "My Computers". Does what they did to clean up the problem invalidate this or does Joe have to log into his account, look at his list of "My Computers" and remove the ones he doesn't recognize manually to stop Tom's system from automatically syncing all his stuff until he does finally notice (which is likely never for most users, I'd assume)?
I'm not affiliated with DropBox or familiar with the way their systems work internally, but it seems pretty likely to me that the "magic files that let you log in without a password" are what DropBox calls "sessions", since this is the only form of access control you have after a password. So yes, they did roll these back.
User Joe's account is logged into by attacker Tom. Tom sets his computer as one of Joe's "My Computers". Does what they did to clean up the problem invalidate this or does Joe have to log into his account, look at his list of "My Computers" and remove the ones he doesn't recognize manually to stop Tom's system from automatically syncing all his stuff until he does finally notice (which is likely never for most users, I'd assume)?