Web storage firm Dropbox announced on Wednesday that the company’s recent troubles with spam are directly related to an employee who recycled their work password on a website that was hacked.
Approximately two weeks ago Dropbox was breached by hackers who used the website to send various messages that promoted gambling websites. The spam was sent exclusively to the email boxes of users with Dropbox accounts.
Immediately following the breach staffers realized the claims were well-founded and they traced the password issue back to an employee.
After the employees email address and password were stolen from another site hackers used that information to raid their Dropbox locker and steal a document which happened to contain the email addresses for Dropbox accounts.
In a statement Dropbox said:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
Dropbox has now implemented an optional two-factor authentication systems for logins and a system that forces users to retire passwords that are weak or haven’t been changed in a very long time.
Dropbox has not revealed how many accounts were compromised by the security breach.