Last month, Dropbox announced that they had taken on outside help in order to investigate a potential data breach. The investigation kicked off after a dozens of users reported being spammed on accounts used exclusively for the service. Twelve days later, Dropbox has now confirmed the initial speculation, saying the spam originated from a compromised employee’s account.
Since early July, users in the U.K. and EU regions started seeing more and more spam promoting EU Dice, Euro Gaming Palace, Premier Players Club, Vegas Virtual, SP Casino, and Best2day Support. The fact that a majority of them use dedicated Dropbox accounts led to calls of a breach. For nearly two weeks, Dropbox remained somewhat silent, providing only basic updates to the investigation process. That changed on Tuesday.
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” Aditya Agarwal, a Dropbox engineer, posted to the company blog.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”
The message from Dropbox is a clever explanation, leaving some to believe that Dropbox’s users were being blamed. However, it is likely that the employee was recycling credentials, and their email address and password were exposed during any one of the summer’s data breaches, which include LinkedIn, eHarmony, Last.fm, and others.
In response to the incident, Dropbox is going to offer two-factor authentication to further protect accounts, and monitor account activity information (such as last login IP), and other mechanisms to detect fraud.
“At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk,” Agarwal added.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
