The cloud storage service Dropbox is blaming a recent spam attack on a stolen password from a breach on another website.
About two weeks ago Dropbox users began reporting spam messages sent to the email addresses they were using for their Dropbox account. After investigating the matter, the cloud storage company discovered that usernames and passwords stolen from another site has also been used to access some accounts.
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts," Dropbox engineer Aditya Agarwal stated in a company blog post.
One of the stolen passwords was used to hack a Dropbox employee's account, which had a document with users' e-mail addresses, according to Agarwal's statements.
The company is taking further steps to prevent future attacks including an option for users to provide two forms of identification—such as a password and another temporary code—when signing in, automated systems to help track suspicious activity and a page that allows users to view all log-in activity.
Users may also be prompted to change their password, for instance, if the user has had the same password for a long time.