Two weeks ago we reported on Dropbox users suddenly receiving a bunch of SPAM to email addresses created only for use with a Dropbox account. Yesterday Dropbox responded to those reports and denied their servers ever being breached in the first place.
As it turns out, some of the email addresses that were intercepted were picked up due to someone gaining access to an employee account, using a stolen password lifted from elsewhere.
So although the employee account was accessed, the customer information that was stolen was very limited, as Dropbox employee Aditya Agarwal points out:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
The security measurements that have been added are pretty impressive, and although not all of the new features are working yet, it does show that Dropbox is taking these matters of security very seriously.
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
Agarwal also points out "Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk." and suggested people use a tool like 1Password to manage strong passwords over multiple sites.
Kudos to Dropbox for stepping up!
Source: Dropbox Developer Blog