Dropbox rolls out new security features, denies server breach

Two weeks ago we reported on Dropbox users suddenly receiving a bunch of SPAM to email addresses created only for use with a Dropbox account. Yesterday Dropbox responded to those reports and denied their servers ever being breached in the first place.

As it turns out, some of the email addresses that were intercepted were picked up due to someone gaining access to an employee account, using a stolen password lifted from elsewhere.

So although the employee account was accessed, the customer information that was stolen was very limited, as Dropbox employee Aditya Agarwal points out:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

The security measurements that have been added are pretty impressive, and although not all of the new features are working yet, it does show that Dropbox is taking these matters of security very seriously.

  • Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
  • New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
  • A new page that lets you examine all active logins to your account.
  • In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

Agarwal also points out "Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk." and suggested people use a tool like 1Password to manage strong passwords over multiple sites.

Kudos to Dropbox for stepping up!

Source: Dropbox Developer Blog

Report a problem with article
Previous Story

Legend of Zelda prototype on eBay for $150,000

Next Story

Windows Phone and Outlook.com transition issues

6 Comments

Commenting is disabled on this article.

Teebor said,

Worse than who? I think you mean Worst

Anyway EA way worse

I meant "worst" but couldn't edit my post once I've seen my mistake

Also I don't think that EA employees are storing EA users emails addresses into their personal account that can be accessed by anybody who has its password.

Dropbox is without a doubt one of the best free and payed cloud services. Never failed on me.

Props to them for keeping up with security. After all, it's our data there too.

This issue is why do companies wait for a security breach before increasing their security?

BTW its paid not payed.

SK[ said,]This issue is why do companies wait for a security breach before increasing their security?

Because it costs money.