In mid-July, Dropbox users reported receiving spam in email accounts created exclusively for the service. Now, the company has admitted that, while it wasn’t hacked, the problem was the result of a security breach.
A blog post on the Dropbox website explains what happened:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts… A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
So, you should at least feel a sense of relief over the fact that Dropbox itself wasn’t hacked. Slightly alarming, though, is the fact that Dropbox employees keep unencrypted lists of user emails in their cloud storage. That doesn’t inspire confidence.
Fortunately, the whole incident has caused Dropbox to tighten up its security generally. Over the next few weeks, you can expect to see the option of using a two-factor authentication process — if you can be bothered — as well as the ability to examine all active logins to your account.