When a few hundred Dropbox users began receiving spam emails about online casinos and gambling sites two weeks ago, it seemed like something was up. And indeed there was.
The online file storage service confirmed today that hackers accessed usernames and passwords from third party sites and then used them to get into Dropbox users’ accounts.
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” the company wrote in a blog post today. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam.”
When the problem first began earlier in the month, several Dropbox users posted on the company’s Web site forum saying they received spam from email addresses only associated with Dropbox. By the time the company got a hold on the situation, 295 people had posted on the forum. The majority of the users were European, coming from Germany, Holland, and the U.K.
Dropbox has since put in place additional security controls to avoid a repeat occurrence. According to the company blog post, here are some of the steps it is taking:
Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
A new page that lets you examine all active logins to your account.
In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
The file storage service also recommends that users avoid using the same password on multiple sites, since it means that if one site has a security breach then all accounts could be at risk. As TechCrunch notes, Dropbox’s security breach is eerily reminiscent of LinkedIn’s mega-password leak in June, not that the two were related or even on the same scale.