In a blog post from Dropbox engineer Aditya Agarwal published July 31, the company confirms that recent spamming incidents reported by the Dropbox user community were caused by a security breach.
"A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update," wrote Mr Agarwal.
A thread on the Dropbox forums concerning the spam was started two weeks ago by user David P., it now stretches ten pages long and contains more than 250 posts.
"We also received spam mails which we can trace back to our dropbox accounts. We want to urge you to look into this issue!" wrote user Frank W.
"Many more users reporting the same on Twitter," added Stefanie G.
In the aforementioned blog post, Mr Agarwal writes that a Dropbox investigation found usernames and passwords that have been recently stolen from other websites had been used to access Dropbox accounts.
Apparently one of those accounts belonged to a Dropbox employee and contained user email addresses. This is likely what caused the spam that has been reported on the Dropbox forums.
Mr Agarwal took the opportunity to remind users to make sure that they used different passwords for different accounts online in order to maximise vulnerability management.
"We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again," wrote Mr Agarwal.