Dropbox admitted on Tuesday that its users had been experiencing a torrent of spam. Upon investigating, the company concluded that the source of the problem was password reuse by a Dropbox employee, which created a security hole.
InformationWeek:
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.
The investigation began two weeks ago, when users began reporting spam attacks against email address that were used for access to the Dropbox service.
Many of the attacks were traced to password-reuse within Dropbox itself – one of the stolen passwords belonged to a Dropbox employee, who had a number of user email addresses stored in his account. This lead to a mass spamming of Dropbox users.
Dropbox has apologized to users, and promised to tighten security by adding new security controls. The controls will include a page that will let users review the login history related to their account, mechanisms to identify suspicious activity, and two-factor authentication.
Security experts, such as Rik Ferguson, director of security research and communication at Trend Micro, are questioning whether Dropbox’s fixes go far enough.
This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised. It is not specified which services they refer to, but again, why?
He also criticized Dropbox’s use of email to inform users of the breach. They had included a “reset your password” link in the email, making them appear very much like the very spam and phishing schemes that people have been warned to avoid!
Despite the new security measures added by Dropbox, account holders are strongly encouraged to change their passwords as soon as possible.
