"A stolen password was used to access the employee's account, which contained 'a project document with user email addresses,' Dropbox engineer Aditya Agarwal wrote on the company's blog," writes Computerworld's Jeremy Kirk. "'We believe this improper access is what led to the spam,' Agarwal wrote. 'We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.'"
"For me there are a few really concerning elements to this news and the way it was handled," writes Trend Micro's Rik Ferguson. "A Dropbox engineer was using live customer information in a 'project document,' why, shouldn’t they be using dummy data? This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised. It is not specified which services they refer to, but again, why?"
"Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter," writes Ars Technica's Jon Brodkin. "'Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts,' the company said."
"Dropbox failed to say how many account records had been compromised, stating that its investigation remains ongoing," writes The Register's John Leyden. "In the meantime it has promised to introduce tougher security controls such as optional two-factor authentication systems for logins, 'new automated mechanisms to help identify suspicious activity' and systems to force users to retire passwords that are weak or haven't been changed in ages."