"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts," Dropbox engineer Aditya Agarwal stated in a company blog post.
One of the stolen passwords was used to hack a Dropbox employee's account, which had a document with users' e-mail addresses, according to Agarwal's statements.
The company is taking further steps to prevent future attacks including an option for users to provide two forms of identification—such as a password and another temporary code—when signing in, automated systems to help track suspicious activity and a page that allows users to view all log-in activity.
Users may also be prompted to change their password, for instance, if the user has had the same password for a long time.