Dropbox reported that they started to receive reports from users that were getting spam at addresses that were only used for Dropbox. So Dropbox spent some time digging into those reports by their users and found a small problem.
Their investigation returned results that showed that usernames and passwords were recently stolen from other websites were used to login to a small number of Dropbox accounts. The users that were affected were already notified and actions were taken to help protect their accounts.
Even more, a Dropbox employees account was accessed with a stolen password which led to a document containing user email addresses for a project. Dropbox apologized to its users and has assured that they have put more controls in place to prevent this from happening again in the future.
Dropbox added the following new features:
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
It is always a good idea to use a unique password for each website that you use, however this is not always practical. Using 1 password for all of your favorite sites makes you vulnerable to this kind of attack, when one site becomes compromised all of the other sites you use that same password for are now also at risk. Dropbox asks you to contact them if you have any further questions regarding this breach at email@example.com.