A few weeks ago, there were reports of Dropbox users started to receive spam on the e-mails tied to Dropbox. The major problem with this was that some of these user's e-mails were only tied to their Dropbox account which meant that the spam or address leak was coming from Dropbox itself as there would be no other way for the e-mail to be released.
Dropbox enlisted the help of "an outside team of experts" to aid their own security team and law enforcement. Dropbox's VP of Engineering, Aditya Agarwal, said in a blog post that a number of usernames and passwords were stolen from third party websites. These combos were then used to sign into "a small number of Dropbox accounts."
One of those stolen password combos belonged to an employee. The employee's Dropbox contained a project file which had a list of e-mails. The company believes "this improper access is what led to the spam." Dropbox is taking several steps to prevent something like this from happening in the future. These are laid out below:
- Two-factor authentication, a way to optionally require a unique code in addition to your password when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We'll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it's commonly used or hasn't been changed in a while)
There's still plenty to be learned as the investigation is on-going. Currently, it would appear that both Dropbox and its users share the responsibility for this hack. Dropbox is doing its part and suggests that its users do the same. They point out that "though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk."