Dropbox Confirms Email Addresses Were Pilfered

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

Re:Nice of the hackers to tell us

[evilRhino]

Actually, the hackers didn't tell anyone. If people hadn't set up specific email addresses for their dropbox account, checked these boxes for mail, and reported spam, this might have never been discovered.

Lecturing Us About Password Security?

[Captain Hook]

given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.

When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.

They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.