,

Dropbox System Compromised After Employee Account Hack

Dropbox confirmed that its system was hacked into after a two-week long investigation. About a few hundred Dropbox users reported receiving spam on the emails they registered for their Dropbox account leading to the investigation.

According to the company blog, one of its employee’s accounts was targeted by hackers, who were able to gain access to a project document with user email addresses. Dropbox said it already contacted the affected email accounts to users protect their accounts.

The spate of spam emails about gambling sites and online casinos last month irritated users of the cloud-storage service. Dropbox initiated a prompt investigation checking further leaks from its system.

Also, Dropbox mentioned that usernames and passwords that were stolen from other websites were used to access a significantly smaller number of Dropbox service. Hackers usually reuse stolen usernames and passwords in the hope that people will use the same combinations, which is a common security problem.

The spam emails discovered were written in English, Dutch, and German advertising gambling websites. Only European victims were affected by the breach though. Many of the victims chatted in the company forum that they used unique email address dedicated for Dropbox, leading users to think the company was hacked.

Dropbox hired a third party security team to audit and investigate. The result showed the company’s internal systems are secured and no other accounts are affected.

Afterwards, Dropbox announced that it would introduce a more stringent authentication by sending a temporary code to user’s phone. Activity logs for an account will also be provided for all accounts to monitor improper access, according to Dropbox. Users will also receive an email notification if their password has not been changed for some time. Dropbox further suggests that users avoid using the same password on several sites to avoid accounts from being compromised.

The security breach is eerily reminiscent of LinkedIn’s mega password leak last June.