Dropbox Admits Some User Accounts Were Compromised, Promises New Security Measures
Using a stolen password, a hacker accessed a Dropbox employee account and stole a company document which contained a list of user emails.
In the weeks that followed the theft, users began seeing a serious uptick in the number of spam emails they received. Many noticed that the only email addresses getting hit by the spam were those associated with their Dropbox accounts, which led to complaints in Dropbox’s user forums.
Tuesday was the first time that Dropbox admitted to the security breach.
“Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen,” Dropbox employee Aditya Agarwal wrote in a company blog post. “We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”
Those controls include an optional two-factor authentication for sign-in — which basically means giving Dropbox two forms of proof that you are who you say you are — a page that lets users monitor active account logins, and “new automated mechanisms to help identify suspicious activity” (though Dropbox doesn’t detail what those are).
This isn’t the first time Dropbox has had security issues with its online storage service. About a year ago, an error made by a programmer left all users’ accounts able to be accessed with any random password, leaving millions of users’ data at risk for a period of about four hours.
Dropbox stated its new security measures would be deployed to the service in the coming weeks.