Last month, Dropbox announced that they had taken on outside help in order to investigate a potential data breach. The investigation kicked off after a dozens of users reported being spammed on accounts used exclusively for the service. Twelve days later, Dropbox has now confirmed the initial speculation, saying the spam originated from a compromised employee’s account.
Since early July, users in the U.K. and EU regions started seeing more and more spam promoting EU Dice, Euro Gaming Palace, Premier Players Club, Vegas Virtual, SP Casino, and Best2day Support. The fact that a majority of them use dedicated Dropbox accounts led to calls of a breach. For nearly two weeks, Dropbox remained somewhat silent, providing only basic updates to the investigation process. That changed on Tuesday.
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” Aditya Agarwal, a Dropbox engineer, posted to the company blog.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”
The message from Dropbox is a clever explanation, leaving some to believe that Dropbox’s users were being blamed. However, it is likely that the employee was recycling credentials, and their email address and password were exposed during any one of the summer’s data breaches, which include LinkedIn, eHarmony, Last.fm, and others.
In response to the incident, Dropbox is going to offer two-factor authentication to further protect accounts, and monitor account activity information (such as last login IP), and other mechanisms to detect fraud.
“At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk,” Agarwal added.
