Only a little over a week ago, Dropbox and their outside experts were claiming that there was no evidence of a hack. As it happens, they were wrong. They’ve now confirmed that some users did see unauthorized activity on a small number of accounts due to the recent slew of passwords being leaked across the Internet. On top of that, one of their employees had their account — which included a document with user email addresses — accessed as well. Oops.
Dropbox’s blog post explains that the project document filled with user’s emails is likely where the spam folks had been complaining about originated. In order to ensure against any further intrusions, they’ve implemented a number of security features that should help curb further unauthorized activity. Their post specifically mentions the following:
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
One wonders why a Dropbox employee would store project documents including email addresses in an account that had the same password as one of their other Internet accounts. That just seems like a majorly bad idea for anyone involved in a company that functions on the web. Regardless, the damage is done. Now, it’s time for users to change their Dropbox password if they haven’t already.
- They reported not that long ago that there was no evidence of a hack
- Last year, Dropbox accidentally dropped protection for a bit too
- Even Valve isn’t immune to the wrath of hackers