It’s time to double-down the locks on the Dropbox factory as today the company confirms that there was indeed a break-in and that a “small number” of account names and passwords have been stolen. This news comes after several hundred users reported spam being delivered to email addresses only associated otherwise with Dropbox, this thusly meaning that the Dropbox forums and/or larger database had been broken into. Dropbox today is confirming the attack and is making sure it never happens again.
Dropbox officials have written that they’ve found that it was not their own site, but a collection of third party sites that are to blame for poor security. When a set of users – seemingly unrelated to one another – had their account names and numbers lifted and applied to Dropbox. That’s just step one – the next step was that one of these accounts belonged to “an employee Dropbox account containing a project document with user email addresses.”
A note from Dropbox states that they believe it was this employee account’s document that listed all of the rest of the accounts and passwords that were attacked with spam. This type of attack doesn’t necessarily mean Dropbox’s security is to blame, but rather speaks to the fact that there may very well be some less than genius level employees amongst their ranks. The majority of the people affected by this incident appear at the moment to be coming from Germany, Holland, and the UK.
Regardless of who or what was to blame, Dropbox is taking additional steps to amp up security in the wake. They’ve assured users that they’ll now be using Two-factor authentication, “such as your password and a temporary code sent to your phone”, coming in the next few weeks. They’ve also assured a new set of automated mechanisms as well as a new page that’ll allow you to examine all of the logins your account has experienced.
Be sure to change your password soon and change your password often, folks, as this sort of “attack” is rather common these days in the Spam-friendly interweb space.