I figured out what I think is the only possible attack vector. The mtgox leak include an old password of mine, one that was never used on mtgox while the account was active. I still changed all of my passwords on important sites -- but I forgot Dropbox, where I was using the same email address and password as the old mtgox one.

I would guess the other guy was hacked in the same way, given that it happened when both of us had our computers turned off.