In a post on its blog, Dropbox has detailed a recent security breach that resulted in a ‘small number’ of accounts being logged into in an unauthorized manner. The breach was caused by passwords stolen from ‘other websites’, says Dropbox’s Aditya Agarwal.
One of the accounts accessed was an employee’s, which contained a document with user email addresses, causing spam issues, which was one of the first warning signs that something was wrong. The company then hired outside investigators to figure out what exactly was going on. Agarwal says that checks have been put in place to stop something like this from happening again, presumably by not storing customer info in employee Dropboxes.
The site says that there will be four new steps taken to prevent issues in the future, including two-step authentication, similar to what Google has (optionally) in place in Gmail.
These are the precautions:
- Two-factor authentication, a way to optionally require a unique code in addition to your password when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
Obviously, if these users had not been using the same password on multiple websites, this wouldn’t have been an issue for Dropbox. We never recommend that you use a password on more than one online service for this explicit reason.
Agarwal mentions that apps like 1Password can help you to store strong, if forgettable, passwords. The users who had their accounts accessed have been contacted by Dropbox directly and have been aided in protecting them for the future.
Image Credit: Johan Larsson