Dropbox has confirmed on their blog, that email addresses of user accounts were compromised. A few weeks back, Dropbox users began posting to the Dropbox support forums, complaining about spam. These were users that were utilizing a unique email address, used only for Dropbox.
While it’s possible that some of the users could have been mistaken, the amount of users posting with this issue pointed to a compromise of email addresses.
According to their post:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.
They go on to state that:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.
So the compromise wasn’t from an ‘army of hackers’ who broke in by typing thousands of lines of code.
A login was compromised and that was used to gain access to a plain-text document that contained a list of Dropbox user email addresses.
Dropbox has added a number of new security features, including two-factor authentication and “automated mechanisms to help identify suspicious activity.” If you utilize Dropbox and haven’t done so already, it’s a good idea to go ahead and change your password. Don’t use a password/email combination that you use on other sites. We recommend KeePass for generating and securely storing your passwords.
Dropbox is a great service and it’s free. This should serve as a reminder though, that things don’t work like they show you on CSI.
Update, 8.27.2012: In response to the recent security issue with user account emails, Dropbox has added two-factor authentication. If you utilize Dropbox, we strongly recommend enabling this feature.