He's saying that for any account to have been potentially compromised due to this bug it would have had to occur during the ~4 hour window the bug was active. During that window less than 1% of all dropbox users logged in, so that puts a cap on how many users could potentially have been compromised. Of course, of that "less than 1%" most were probably valid logins, so that 1% doesn't represent only compromised accounts but rather a ceiling on how many could possibly have been compromised.
That said, I can't help but feeling misdirected. I mean, obviously the cap on the number of compromised accounts is relevant, but I think more relevant is the fact that 100% of the accounts were completely insecure for hours.
Misdirected, because as a user I don't care at all how many accounts were actually compromised. This isn't a no-harm-no-foul incident. It's an enormous breach of trust that causes me to completely rethink what I'd be willing to do with their service.
