The story is that apparently the attackers got user IDs and passwords from attacks on other applications. They then tried these same credentials on a number of internet sites, including Dropbox. You can read the Dropbox blog post here.
This is a typical attack scenario, as I've discussed before. Among the value of stealing a password file from a site or organization is that people unfortunately reuse their IDs and passwords on other sites. This is because it's difficult to remember all those passwords! I won't go into that issue because I've covered it plenty of times in the past.
In this case, like many others, the attackers simply try the IDs and passwords on other sites. It's almost guaranteed that they will get some logins that work. That is apparently what happened here.
So... Dropbox wasn't hacked... this time! Of course, there have been a number of successful breaches of Dropbox in the past!
More on that in a moment, but I want to make a quick editorial comment on the use of the term "hacked".
Hacking, Hackers, Hacked... have all become misused words. "Back in the day...", hacking was a good thing. It's how we figured out how to make technology work before manuals and point-and-click. These days, the term has become demonized. A hacker is not a bad person... just a curious person. There can be good hackers or malicious hackers. So the term should be appropriately qualified. And we should speak of attacks or breaches, not hacks of sites.
Back to the story... Dropbox was attacked and suffered breaches in both 2011 and 2012. In 2011 attack, a coding bug allowed anyone to connect to any user's files without logging in. In the 2012 attack, similar to this most recent issue, password reuse contributed to a number of accounts being compromised, including the account of a Dropbox employee. That employee did have access to accounts and contact info for many Dropbox users.
- Don't reuse passwords! I've covered this topic a number of times. If you reuse your login credentials among sites, when one of those sets gets compromised... all of them are. At home, you can make this all so much easier by using a password vault.
- Use 2-factor or 1-time passwords on any internet site that allows them. Here's a few links with instructions. Here's how to do it for Dropbox.
- At work, use only sanctioned file sharing methods. If you share work information on a filesharing site that has not specifically been sanctioned by your IT and Security groups, you are putting yourself, your organization and your customers' data at risk as well as likely violating policy. Check with your organization to see what is allowed. In Dropbox's defense, they do offer enterprise contracts... but it's only the right choice if it meets your business requirements and your organization has such a contract! First, figure out why you need to keep company information on the public internet... then decide what technology accomplishes that purpose! Work with your IT and Security teams.
Does your organization have a policy and solution around online file storage? Do you store company information or data on unsanctioned internet sites? Have you checked your dropbox credentials lately? Are you using a password vault at home?