Dropbox has admitted that its accounts were recently hacked, leading to spam being sent from/to user accounts.
In a statement on its website, Aditya Agarwal, Dropbox's vice president of engineering, said that an investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.
Agarwal said: “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.
“Keeping Dropbox secure is at the heart of what we do, and we're taking steps to improve the safety of your Dropbox even if your password is stolen.”
Agarwal said that it was introducing two-factor authentication in a few weeks, automated mechanisms to help identify suspicious activity and a new page to allow users to examine all active logins to their account.
“At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk,” said Agarwal.
The story began two weeks ago when Dropbox admitted that it had drafted in third party security investigators after more than a hundred users said that they were receiving spam into their dormant Dropbox email accounts.
Dropbox engineer Joe Gross said that while it had not had any reports of unauthorised activity on Dropbox accounts, it took a number of precautionary steps.
Security blogger Brian Krebs said: “A Dropbox spokeswoman said the company is not ready to disclose just how many user account credentials may have been compromised by this password oops, noting that the investigation is still ongoing.”
CertiVox CEO Brian Spector told SC Magazine that authentication on the internet is a "train wreck", as people use a username and password for applications and users have too many credentials and there is no good way to secure login data.
Cloudmark said that its insight into the spam campaign showed that "unsophisticated" messages were sent, as they were "hitting a handful of spammy fingerprints at once".
Chris Barton, senior security researcher at Cloudmark, said: “If this were an exam, the spammer would receive an 'ungraded' mark for lack of message complexity or originality.
“Recent data from our Global Threat Network showed 364 different domains in use by this spammer. Some of the domains point to an IP address shared with domains that have been seen by our system in prior spam campaigns as far back as 2008. So this is a long way from a new campaign.”