Spam Campaign Caused by Stolen Dropbox Employee Password - Security - News & Reviews - eWeek.com | eWeek

Spam Campaign Caused by Stolen Dropbox Employee Password

Écrit par
Brian Prince
Brian Prince
Aug 1, 2012
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Cloud-based storage provider Dropbox came clean with more details today about a security breach that led to a spamming campaign.

The company’s investigation into the incident revealed that usernames and passwords stolen from other Websites were used to sign in to a number of Dropbox accounts, including one belonging to a Dropbox employee that contained a “project document” with user email addresses. According to the company, the document is believed to have been used to launch the spam campaign.

Following the breach, Dropbox users in Holland, Germany and the United Kingdom began reporting on a Dropbox user forum that they were receiving spam for gambling sites. The ensuing complaints led to suspicions that Dropbox had been hacked.

In a blog post, Dropbox engineer Aditya Agarwal apologized for the situation and said the company is putting additional controls in place to prevent future breaches. In particular, the company plans to adopt two-factor authentication as an optional way to prove identity when users are signing in. This will be coming in a few weeks.

In addition, the company has added new automated mechanisms to help identify suspicious activity, a new page that lets users examine all active log-ins to their account and required password changes if it is commonly used or hasn’t been changed in a long time.

“At the same time, we strongly recommend you improve your online safety by setting a unique password for each Website you use,” Agarwal blogged. “Though it€™s easy to reuse the same password on different Websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.”

Users whose usernames and passwords were stolen from other Websites have been notified, Agarwal added.

The email addresses on the project document were apparently not obfuscated or encrypted.

This breach illustrates the downside of not having rigorous access controls in place around sensitive data, said Todd Thiemann, senior director of product marketing for Vormetric.

“A document containing lots of customer email addresses would seem to be quite sensitive and require protection,” he said. “So encrypting this file after it leaves the database is a security best practice. Companies need to re-evaluate what constitutes sensitive data. While email addresses may not be regulated like credit card data, the damage caused when these are stolen can be as great [as] or greater than impact associated with stolen credit card numbers.”

The incident also serves as a lesson not to use the same password for multiple sites, said Stephen Cobb, security evangelist at ESET.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.