The bad news: Dropbox has admitted to some security issues, including a handful of hijacked user accounts. The good news: there are enhanced security options on the way.
Here's the official word from Dropbox:
[We] found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.
If you've been receiving new, suspicious spam in your inbox, Dropbox could possibly be the culprit. (To be clear, it appears that no passwords were leaked.)
To improve its security, Dropbox is adding two useful user-facing features:
- Two-factor authentication is coming to Dropbox, reportedly in a few weeks. If you're not familiar with two-factor authentication, read our primer on why you should use it.
- A new Account Activity page shows you all the "computers, phones, and tablets that have access to your Dropbox". This is available now.
Dropbox doesn't appear to be providing any way to check if your email may have been included in the leak.
Security update & new features [Dropbox Blog]