Dropbox Spam Traced to a Hijacked Employee Account
Several Dropbox accounts were hijacked using stolen credentials from other sites
A couple of weeks ago, Dropbox users started noticing that they were getting hit with spam on email addresses they only used for Dropbox and didn't disclose to anyone. Dropbox has investigated the issue and things don't look good.The site hasn't been "hacked" as some pageview-hunting bloggers were quick to write. But it did mess up. User emails were indeed leaked from the Dropbox account of an employee working on an internal project.
What happened was that another site was hacked and user/password combinations were leaked. Several Dropbox users had the same username and password on that site and on Dropbox, including this particular Dropbox employee.
Some Dropbox accounts were accessed with these stolen credentials including the one belonging to the employee. There, the "hackers" found the list of email addresses that was later used for spam.
Dropbox itself was not hacked in any way, there was no breach. But it can't get off the hook entirely. Password reuse is a common problem and an understandable one for the regular user. Not so for a Dropbox employee who should know better, especially when handling sensitive information.
Which brings us to the second big problem, what was a list of email addresses belonging to Dropbox users doing in an employee's Dropbox account in the first place? It was probably needed for an internal project, but measures should have been taken to keep it more secure.
This is the only thing that Dropbox can be faulted for, a rather worrying lack of internal security policies and culture. Despite several big problems and despite being a company that handles so many sensitive files for so many people, Dropbox either doesn't believe security is a big issue or is incapable of making security a priority at the company.
Dropbox has vowed to institute several new policies and features, like two-factor authentication, a login-location log and so on. But the first priority should be on its internal policies.