The spam outbreak that last month flooded the inboxes of Dropbox customers has been traced back to a hacked employee account, company representatives said late Tuesday.
After some investigation, the free file-hosting service determined that passwords stolen from other websites had been used to access a "small number" of Dropbox accounts, engineer Aditya Agarwal said on the company blog. Among those affected was an unnamed Dropbox employee who used the same password on an unspecified website as well as on his Dropbox account, which also contained a "project document with user email addresses," Agarwal wrote.
The unsolicited messages sent to Dropbox users predominantly advertised European gambling websites. Users complained on company forums that they were receiving spam in email accounts that had been specifically created for use with the service.
The company subsequently launched an internal investigation and brought in an outside security team to track down what might have happened.
While the company said on July 21 that it had not received "any reports of unauthorized activity" on Dropbox accounts, two weeks later it confirmed the breach, and urged users to make sure they were using unique passwords across online services.
"The Dropbox incident underlines the necessity of having different passwords for every website," Graham Cluley, senior technology consultant at Sophos, told SCMagazine.com in an email. "As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."
The fact that the password was siphoned from a third-party source and used against Dropbox shows that password complexity requirements or other policies are "useless and impractical," Jay Heiser, a research vice president at Gartner, wrote on his blog.
"The passwords were stolen outside of Dropbox, so no amount of password complexity on the part of Dropbox could have prevented these incidents," Heiser wrote, adding that more secure authentication methods were necessary to protect users.
Dropbox may be coming around to that view, as Agarwal outlined new security features that will be rolled out to users over the next few weeks, including two-factor authentication, a new page that lists logs of recent user activity and "other automated mechanisms to help identify suspicious identity."
Dropbox will also proactively start prompting users to change their password if the systems detect it hasn't been changed in a while or is commonly used, Agarwal said.
Dropbox did not immediately respond to SCMagazine.com when asked when these features will be rolled out.