Dropbox in password reuse security breach
Same password used on multiple sites results in Dropbox account compromisation.
Dropbox has admitted that a number of customers have been spammed following a breach of its infrastructure that led to a number of accounts being compromised.
The cloud storage provider said that it was made aware of the breach when account holders reported receiving unwanted messages in email accounts used only for Dropbox communications.
The company said in a blog post that it had taken action to investigate claims.
"A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We've been working hard to get to the bottom of this, and want to give you an update," said Aditya Agarwal, vice president of Engineering at Dropbox.
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts."
The company confirmed that several other accounts were also compromised when an employee's Dropbox account also got hacked.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said the company.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"We believe this improper access is what led to the spam."
Dropbox apologised for the breach and said it would now put additional controls in place to help make sure it doesn't happen again.
The company has now reset affected customers' passwords and will be implementing two-factor authentication including temporary codes sent to mobile phones when signing in.
It also plans to introduce automated mechanisms to help identify suspicious activity. Dropbox said it would also continue to add more of these over time.
Neil Cook, chief technology officer of security company Cloudmark said that the breach was "unsophisticated".
"The offending messages were hitting a handful of spammy fingerprints at once," he said. "If this were an exam, the spammer would receive an ungraded' mark for lack of message complexity or originality."
Cook added that recent data from Cloudmark's Global Threat Network found that there were 264 different domains in use by this spammer.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime
-
We need to do something about passwordsPasswords are a fundamental aspect of access security, but recent password leaks have undermined their ability to protect data
-
Dashlane lifts the lid on attack that saw hackers download encrypted user vaultsNews The company said it has now informed all affected customers, and taken action to shut down the operation
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations