Dropbox hacked? Well, apparently some of its user accounts were actually hijacked. Dropbox, the online file storage service, on Tuesday has confirmed that some user accounts were indeed accessed by hackers. On investigation, Dropbox found that usernames and passwords, which were recently stolen from other websites were used to sign in to a small number of Dropbox accounts. Which means, even after so much warning, users are still using same username and password for multiple accounts. Responding to the problem, Dropbox has sent password change notification to the affected users. Dropbox said that it is now adding more security features including two-factor authentication to prevent future problems.
If you are wondering, what actually is going on: It all started on July 17, 2012, when few Dropbox users begun receiving spam on email accounts, which were exclusively attached to their Dropbox account only. Which can only mean that either the email addresses were leaked via Dropbox itself or Dropbox itself was hacked. The users started reporting the issue to Dropbox via Dropbox Forums. Some users also started wondering if their favorite cloud backup service, Dropbox is hacked. These reports mainly came from the international users of the cloud backup service mainly based in Germany, the U.K. and the Netherlands.
Dropbox quickly responded to these reports. The company said that including its own security team, along with the help from law enforcement and “an outside team of experts” are investigating the issue, . The first report about the investigation is out now.
According to the report, the company said (via Aditya Agarwal, VP of Engineering) that “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts. A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam.”
Dropbox is now implementing additional security controls to avoid repeat occurrence of such issues. According to the company blog post, here are some of the steps it is taking:
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
The Dropbox account hijack and spam episode only proves one thing, the idea of using the same username and password to login multiple websites or services is a VERY BAD IDEA. Are you still using the same password for multiple accounts?