Dropbox explains breach, will introduce two-factor authentication

By Lee Kaelin on August 1, 2012, 4:30 PM

An investigation started a fortnight ago by external experts at the request of Dropbox has concluded that an employee's hacked account led to a limited number of users receiving spam in their registered email accounts. On its official blog, Dropbox said the stolen password was "used to access an employee Dropbox account containing a project document with user email addresses."

Apparently the Dropbox employee was reusing his corporate password on other web services which were compromised. That alone is a major security oversight on his part but perhaps more worrysome is the fact that he was using live customer information in a “project document” rather than dummy data.

Likewise, the company also found that usernames and passwords recently stolen from other websites were used to sign in to "a small number of Dropbox accounts," though they did not cite specific numbers.

Besides offering an update to its users, the cloud storage company also announced it is taking several steps to improve the safety of Dropbox accounts going forward, including an optional two-factor authentication system that will be arriving shortly. A new page has also be created to show users all their active logins, which will later be matched with mechanisms to automatically identify any suspicious activity.

Dropbox also reminded users to follow recommended industry practices by using unique passwords for each online account. While these can be hard to remember, services like LastPass make it easier, with one single password to remember. Those that have easily cracked passwords, or haven't changed them in a long time will be notified by email that they need to be changed.

This is not the first time security concerns have been raised by Dropbox users. Most notably, in June last year a bug disabled the service's authentication mechanisms for four hours, allowing anyone to log into accounts with any string of text for the password.

User Comments: 3

Got something to say? Post a comment
SNGX1275 SNGX1275, TS Forces Special, said:

I got an email from them last night saying they reset my password, and I should click this link to create a new one. That sounded pretty 'phishy' to me, so I asked my roommate to check her email since she also uses dropbox. She didn't have an email, so that raised even more flags.

But I clicked through anyway, with the intention of watching the URL, seeing if browser picked up on any phishing, ect. Everything looked fine, but I still didn't feel right about it. So I just typed in dropbox.com and manually reset my password.

I guess if dbox automatically resets my pass, then everything is still cool on my end, because if you do it yourself manually, you still don't have to reauth on individual devices. But I just felt better doing it myself.

Leeky Leeky said:

I pretty much always do the same thing if I ever get an email telling me to change it. Always feel safer going straight to the website in question and changing it with them rather than clicking some link in an email.

Devon_D Devon_D said:

It is sad to see something like this happen, but I think this is the type of wake-up call that they needed to kick the complacent attitude about authentication and passwords. There continues to remain the need for more preventative measures to be put in place. For example many of the leading online storage providers are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim that the verification process makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more providers start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.