IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Dropbox in password reuse security breach

Same password used on multiple sites results in Dropbox account compromisation.

Cloud security

Dropbox has admitted that a number of customers have been spammed following a breach of its infrastructure that led to a number of accounts being compromised.

The cloud storage provider said that it was made aware of the breach when account holders reported receiving unwanted messages in email accounts used only for Dropbox communications.

The company said in a blog post that it had taken action to investigate claims.

"A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We've been working hard to get to the bottom of this, and want to give you an update," said Aditya Agarwal, vice president of Engineering at Dropbox.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts."

The company confirmed that several other accounts were also compromised when an employee's Dropbox account also got hacked.

"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said the company.

"We believe this improper access is what led to the spam."

Dropbox apologised for the breach and said it would now put additional controls in place to help make sure it doesn't happen again.

The company has now reset affected customers' passwords and will be implementing two-factor authentication including temporary codes sent to mobile phones when signing in.

It also plans to introduce automated mechanisms to help identify suspicious activity. Dropbox said it would also continue to add more of these over time.

Neil Cook, chief technology officer of security company Cloudmark said that the breach was "unsophisticated".

"The offending messages were hitting a handful of spammy fingerprints at once," he said. "If this were an exam, the spammer would receive an ungraded' mark for lack of message complexity or originality."

Cook added that recent data from Cloudmark's Global Threat Network found that there were 264 different domains in use by this spammer.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to incorporate password protection into your security strategy
Sponsored

How to incorporate password protection into your security strategy

3 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022
The psychology of secure passwords
Sponsored

The psychology of secure passwords

14 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022