Dropbox blames employee account breach for spam attack

01.08.2012
Dropbox said Tuesday one of its employee's accounts was compromised, leading to a raft of spam last month that irritated users of the cloud-storage service.

A stolen password was used to access the employee's account, which contained "a project document with user email addresses," Dropbox engineer Aditya Agarwal wrote on the company's .

"We believe this improper access is what led to the spam," Agarwal wrote. "We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again."

The company also found that usernames and passwords that had been stolen from other websites were used to access "a small number of Dropbox accounts," Agarwal wrote. Hackers commonly try username and password combinations from breaches on other web services in hopes people use the same combination, a common security problem.

The spam, written in German, English and Dutch, advertised gambling websites and seemed to affect only European users. Many of those users wrote on the company's forum they had used a unique email address solely for Dropbox, leading to suspicions the company had been hacked.

Dropbox brought in an outside security team to investigate, but maintained on July 21 that it had found no intrusion of its internal systems or other compromised accounts.