When European users started complaining about a flood of spam hitting email accounts they only used for Dropbox, the popular cloud storage service immediately began investigating. After an outside security team declared they could find no evidence of any sort of data breach or compromise, Dropbox announced the news on July 21st and said it didn’t appear they were responsible.
A rather red-faced Dropbox announced yesterday on their company blog that they had found what they believe to be the cause of the spam attack – an employee’s account had been compromised. That account just happened to contain a project document with a list of customer email addresses. The company isn’t sure how the breach happened but it’s likely the employee fell for a phishing email and unwittingly turned over their account info.
The company has already gotten to work on solutions to keep such a thing from happening again. They’ve introduced a page where users can review all recent logins to their accounts, two-factor authentication and automated tools to instantly detect any suspicious activity.
Dropbox also discovered some user accounts had been compromised using login info stolen in recent hacks on other sites. If your account is one of them, they’ve probably already notified you. (This is why its never a good idea to use the same username and password on multiple sites).
The spam campaign, which hawked online gambling sites, only affected European users. There’s been no evidence that any info belonging to North American users has been compromised.