An investigation started a fortnight ago by external experts at the request of Dropbox has concluded that an employee's hacked account led to a limited number of users receiving spam in their registered email accounts. On its official blog, Dropbox said the stolen password was "used to access an employee Dropbox account containing a project document with user email addresses."
Apparently the Dropbox employee was reusing his corporate password on other web services which were compromised. That alone is a major security oversight on his part but perhaps more worrysome is the fact that he was using live customer information in a "project document" rather than dummy data.
Likewise, the company also found that usernames and passwords recently stolen from other websites were used to sign in to "a small number of Dropbox accounts," though they did not cite specific numbers.
Besides offering an update to its users, the cloud storage company also announced it is taking several steps to improve the safety of Dropbox accounts going forward, including an optional two-factor authentication system that will be arriving shortly. A new page has also be created to show users all their active logins, which will later be matched with mechanisms to automatically identify any suspicious activity.
Dropbox also reminded users to follow recommended industry practices by using unique passwords for each online account. While these can be hard to remember, services like LastPass make it easier, with one single password to remember. Those that have easily cracked passwords, or haven't changed them in a long time will be notified by email that they need to be changed.
This is not the first time security concerns have been raised by Dropbox users. Most notably, in June last year a bug disabled the service's authentication mechanisms for four hours, allowing anyone to log into accounts with any string of text for the password.