Several weeks ago, reports started to trickle out that a number of Dropbox users were under attack from spam. Since then, Dropbox has been investigating those attacks (with some help from a third-party) and today gave the first update on the progress, saying that some accounts were indeed accessed by hackers, but that it is now adding two-factor authentication and other security features to prevent further problems.
For some background: On July 17th, a number of Dropbox users begun noticing an increase in the level spam attacking their accounts. As Sarah reported at the time, the red flag appeared when users begun reporting that the email accounts receiving spam were in fact only tied to their Dropbox accounts, which indicated that the address leak had come from Dropbox itself. Many of those reports came from the company’s international users, including Germany, the U.K. and the Netherlands.
To its credit, Dropbox was quick to respond. Less than 24 hours later, in a message posted to forums, the company said they were bringing in “an outside team of experts” to back up their own security team in the investigation along with help from law enforcement. Today, we received the first round of answers.
The company (via Dropbox’s VP of Engineering, Aditya Agarwal) said in a blog post that its investigation found that the usernames and passwords were in fact stolen and were stolen from third party websites, which were then used to sign in to “a small number of Dropbox accounts.” The company did not cite numbers specifically, so it’s not clear exactly how many accounts were accessed, but the company did say that it has contacted those users and is helping them to further protect their accounts.
The company also said that one of those stolen passwords was used to access a Dropbox employee’s account, which contained a project document with user email addresses. The company believes that “this improper access is what led to the spam.” The company also apologized and said that it has “put additional controls in place to help make sure it doesn’t happen again.”
What is that going to mean?
Dropbox is taking a number of steps, which they laid out in the post. We’ve shared them below:
Naturally, it appears that this issue is one in which both sides are somewhat culpable. On its end, Dropbox is taking steps to improve security, and meanwhile, it suggests that users consider coming up with a unique password for each website they use. Reusable passwords, again, are not your friend. As Dropbox points out, “though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk.”
As to the spam controversy, the company did not say if there were any other causes behind this other than just some wayfaring miscreant, hacker-types, because the investigation is still ongoing. But keep in mind that there have been some fairly high-profile hacks and leaks recently, like the one that targeted LinkedIn back in June.
It would not be surprising to learn that Dropbox is essentially the first service to experience a ripple effect from that hack. Given that many people use the same passwords for multiple different accounts, if hackers were able to retrieve passwords from LinkedIn accounts, it wouldn’t be too difficult to gain access to Dropbox accounts.
Dropbox was founded in 2007 by Drew Houston and Arash Ferdowsi. Frustrated by working from multiple computers, Drew was inspired to create a service that would let people bring all their files anywhere, with no need to email around attachments. Drew created a demo of Dropbox and showed it to fellow MIT student Arash Ferdowsi, who dropped out with only one semester left to help make Dropbox a reality. Guiding their decisions was a relentless focus on crafting a...