Hacked Dropbox accounts were recently used in a spam campaign that affected a few hundred users. Usernames and passwords were allegedly accessed via third party websites two weeks back, but the recent spam campaign confirms the breach was real.
The online file storage service confirmed that user accounts were accessed and an employee documents containing user emails was used in the spam campaign. Users from Germany, Holland and the U.K. complained on the official Dropbox forum that they received online casino and gambling spam from Dropbox-associated email accounts.
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” Dropbox wrote in a blog post. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam.“
To improve usersâ€™ account safety, Dropbox set in place two-factor authentication, automated mechanisms to monitor suspicious activity, an activity report page where users can view all logins, and even notified them for a password change.
â€œAt the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use,â€ said the online file storage service in the same blog post. â€œThough itâ€™s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk.â€