I got an email from them last night saying they reset my password, and I should click this link to create a new one. That sounded pretty 'phishy' to me, so I asked my roommate to check her email since she also uses dropbox. She didn't have an email, so that raised even more flags.

But I clicked through anyway, with the intention of watching the URL, seeing if browser picked up on any phishing, ect. Everything looked fine, but I still didn't feel right about it. So I just typed in dropbox.com and manually reset my password.

I guess if dbox automatically resets my pass, then everything is still cool on my end, because if you do it yourself manually, you still don't have to reauth on individual devices. But I just felt better doing it myself.

 

I pretty much always do the same thing if I ever get an email telling me to change it. Always feel safer going straight to the website in question and changing it with them rather than clicking some link in an email.

 

It is sad to see something like this happen, but I think this is the type of wake-up call that they needed to kick the complacent attitude about authentication and passwords. There continues to remain the need for more preventative measures to be put in place. For example many of the leading online storage providers are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim that the verification process makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more providers start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.