Yes this is correct. Some details about this szenario are mentioned here: What if Dropbox gets hacked?