Dropbox this week fessed up to having been hacked, most notably an employee account that contained project data including a list of customer emails (at least it shows they use their own product). That resulted in a rash of spam that eventually led to the discovery of the compromised passwords.
A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
They claim it was usernames and password stolen from other sites that led to the trickledown effects on Dropbox accounts. Another reason to use a different password for every site you sign up for.
Their post on the topic includes news of a new page that lets you examine all active logins to your account.