Dropbox has confirmed recent spam received by users was indeed the result of a security breach. It’s responding by introducing several new security measures.
The company’s investigation into the spam complaints found that several accounts had been accessed without authorization because the account holders had used the same username and password combination on Dropbox as on other sites that have recently been hacked on a much larger scale.
Unfortunately one of those who was caught out this way was a Dropbox employee, whose account included a work document listing an unconfirmed number of e-mail addresses belonging to Dropbox customers. These appear to be the addresses that were then hit by spam.
Dropbox says “We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.” No doubt that will involve a major dressing down for the staff responsible, but it does raise an awkward dilemma. The smart security advice is to not store sensitive information in an unencrypted form when it’s online in case it’s accessed without permission. At the same time, one of the main selling points of services like Dropbox is that files can’t be accessed without permission.
While Dropbox is reminding users (and certain staff members) of the importance of using separate log-in details for every site, it’s making several security changes. Users will now be able to access a list of every time their account has been accessed, meaning they may be able to spot something suspicious. I’d suggest that as well as having this separate list, the site copy a leaf from my online bank which, whenever you log-in, shows you the time of the last login to your account.
Behind the scenes, the site is adding “automated mechanisms to help identify suspicious activity.” It’s also going to try forcing users to change passwords on occasion, either if the password seems too easy to crack, or if it hasn’t been changed for a long time. That’s a delicate balance as making people change passwords too often can leave them to stick to simpler and less secure choices.
Finally, Dropbox will be introducing optional two-factor authentication for users who want added security and don’t mind a little extra inconvenience. That means you don’t simply need a password, but also another form of identity such as getting a one-off code sent via text message.