The "obvious weakness" is the non-technical part of this: you can sign up to Dropbox (and most services for that matter) with an extremely weak password. I just signed up with a dummy email address and a password of "password". :-) If you look through password lists that have leaked online, the most common passwords are very easily guessable.
Anyway, not trying to dismiss their efforts here -- they're good. But this is only half of the equation.
I go back and forth on this, but ultimately, anyone using "password" or "123456" as their password should expect their account to get broken into at some point. Honestly, I've never met anyone that uses passwords that weak for anything they actually care about, even completely non-technical folks.
Anyway, not trying to dismiss their efforts here -- they're good. But this is only half of the equation.