August 1, 2012

Dropbox Really Was Hacked, Implements New Security Features

Michael Harper for - Your Universe Online

A few weeks ago, some Dropbox users began to notice something strange: They were receiving spam at email addresses which had only been used to sign up for the popular cloud storage service. Within a matter of hours, the Dropbox team began to investigate these claims and even brought in a third-party to help them get to the bottom of these issues.

“We wanted to update everyone about spam being sent to email addresses associated with some Dropbox accounts. We continue to investigate and our security team is working hard on this. We´ve also brought in a team of outside experts to make sure we leave no stone unturned,” wrote Dropbox employee “Joe G.” in a July 18 blog post on Dropbox´s support forums.

Today, Dropbox has given an update on the process of their investigation, saying there were some accounts which have been hacked. Now, the cloud service is implementing a new security feature, allowing users to opt to use 2 forms of authentication to prevent any further issues.

In a new blog post, Aditya Agarwal explains that some Dropbox usernames and passwords had been taken from other websites and were used to log into a small number of accounts. These users have been notified of the breach and Dropbox has helped these users further protect their accounts.

As for how the hackers were able to reach a larger amount of passwords, Agarwal writes, “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We´re sorry about this, and have put additional controls in place to help make sure it doesn´t happen again.”

To ensure further protection, Dropbox is offering an optional two-factor authentication, placing an extra step in the sign-in process. According to the blog, this feature will roll out in a few weeks.

Dropbox is also saying they´ll start using “new automated mechanisms to help identify suspicious activity,” and will add more of these going forward.

They´re also creating a page that lets users see all active logins to their account, allowing users to investigate for themselves if there´s been any suspicious activity.

Finally, Dropbox says they´ll be asking some users to change their passwords, particularly if the password hasn´t been changed recently or if it´s not secure enough.

Agarwal concludes the post by encouraging all users to take a moment to improve their online security by creating unique passwords for each website used, a recommendation we´ve made numerous times before at

Users who keep one password for multiple sites play a very dangerous game, inviting a bit of a domino effect with their privacy and personal information. If the password (or worse, password and username) for one web service is used in multiple places, hackers could potentially have access to each service a user is subscribed to. In fact, it´s likely some Dropbox users had their accounts hacked after any of the numerous leaks we´ve already seen this year from the likes of eHarmony, or LinkedIn.