A couple of weeks ago, a few hundred Dropbox users started to report that they were receiving lots of spam e-mails to do with gambling, online casinos, and what not. Dropbox investigated these attacks with the help of a third-party company and it has now given the first update on the progress: some accounts were indeed hacked. Giving a clean chit to the current issue, Dropbox assured users that increased security features to counter further issues were en route.

A number of Dropbox users noticed a significant increase in the level of spam attacking their accounts on July 17. Suspicions arose when users started complaining and reported that they were receiving spam only on e-mail accounts tied to Dropbox, which indicated that the address leak had come from the online storage site itself. Many of the reports came from European users (from Germany, the UK, and the Netherlands).

Dropbox responded promptly and less than 24 hours later posted a message to forums, reassuring users that "an outside team of experts," along with law enforcement, will help back up their security team in the investigation. Now, the online storage company has offered the first round of results following the investigation.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post on Tuesday, July 31. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."

Dropbox did not specify how many accounts were hijacked; so, there is no word yet on what that "small number of accounts" actually amounts to. The company said it has contacted all users whose accounts have been accessed and is helping them to further increase their protection. The company apologized for the unfortunate incident and said it has "put additional controls in place to help make sure it doesn't happen again."

Additional Security Steps

In this regard, Dropbox has also outlined a number of additional security steps in the blog post. These steps include a two-factor authentication, new automated mechanisms, a new page, and more.

The two-factor authentication is a good way to increase the security of your account by requiring a unique code in addition to your password when signing in. It's optional and will make your account more secure (i.e., if another code does not bother you). This feature will be available in a few weeks.

The new automated mechanisms are designed to help identify any suspicious activity and Dropbox will gradually add more of these to further boost security. In addition, a new page will allow users to examine all active logins to their accounts. Also, in some instances, Dropbox may prompt users to change their passwords (i.e., if it's too common or has been in use for a long time).

Dropbox is holding its end of the bargain and is taking steps to improve security, but at the same time it reminds users that they should use a unique password for each website they use. "Though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk," warned the company.