“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” the company wrote in a blog post today. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam.”
Over at Ars Technica, Jon Brodkin has more. Evidently, the illicit access happened because a Dropbox employee’s account was hacked.
Dropbox noted that users should set up different passwords for different sites. The site is also increasing its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones.
Good to hear. Google is another popular service that offers such two-step authentication for its services, and I’m a big fan of that. And, of course, it’s always smart not to use, say, the same easily-cracked password for Dropbox that you do for your onling banking.