When a few hundred Dropbox users began receiving spam emails about online casinos and gambling sites two weeks ago, it seemed like something was up. And indeed there was.
The online file storage service confirmed today that hackers accessed usernames and passwords from third party sites and then used them to get into Dropbox users' accounts.
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," In a post on the Dropbox website, Aditya Agarwal, the company's director of engineering, wrote.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."
Agarwal said that Dropbox will now offer two-factor authentication for members, giving the option of using two forms of identity before access to an account is granted. He said the company was also adding new automated systems to monitor suspicious activity and a new page allowing members to see all active logins on their account.
He added: "At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk."