Dropbox reports employee's stolen password allowed hacker to spam user email addresses

The cloud provider said email addresses belonging to the unspecified number of users had been obtained during the breach and that it was probably why "some users" had complained about spam they were receiving to those addresses.

Dropbox said one of its staff members had their password stolen during a recent security breach involving other websites and that that password had been used to access the employee's Dropbox account where the user email address were stored.

"A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox," Aditya Agarwal, engineering at Dropbox, said in a company blog. "We've been working hard to get to the bottom of this, and want to give you an update."

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts. A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again," Agarwal added.

Dropbox will soon require users to complete a "two-factor authentication" in order to access their accounts, whilst new "automated mechanisms" will also be installed to monitor for "suspicious activity", he said. Agarwal added that Dropbox users will also be able to "examine all active logins" to their account and that some users will also be asked to update their password.

"Keeping Dropbox secure is at the heart of what we do, and we're taking steps to improve the safety of your Dropbox even if your password is stolen," he said. "At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk."