Dropbox has become the latest big name to disclose a security breach. It seems the cloud storage company was caught out by one of the oldest tricks in the book – people using the same password on multiple sites.
The company has confirmed that passwords stolen from other services were then used to access Dropbox accounts, including one belonging to an employee.
Whoever accessed the account stole a "project document" which contained user email addresses. That led to users noticing a surge in spam emails being sent to addresses they’d only ever used for Dropbox.
Dropbox users first began reporting an increase in spam in early July. The company was quick to respond and launched an investigation.
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts," a statement on the Dropbox website said.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again," the statement added.
The company will also be revamping its security procedures by introducing two-factor authentication. This will mean that users may have to provide two forms of identification, such as a password and a one-time code that is sent to the user’s mobile phone.
Users will also be able to access a page that will display all active logins. Dropbox will also be asking some users to reset their passwords. These changes will be rolled out over the next few weeks, Dropbox said.
The security industry has long been warning people against using the same password across multiple sites because, as this case demonstrates, if a hacker gains accesses to one they will try their luck at using the same credentials to get into other services.