Dropbox Reports User Accounts Were Hijacked, Adds New Security Features

Several weeks ago, reports started to trickle out that a number of Dropbox users were under attack from spam. Since then, Dropbox has been investigating those attacks (with some help from a third-party) and today gave the first update on the progress, saying that some accounts were indeed accessed by hackers, but that it is now adding two-factor authentication and other security features to prevent further problems.

For some background: On July 17th, a number of Dropbox users begun noticing an increase in the level spam attacking their accounts. As Sarah reported at the time, the red flag appeared when users begun reporting that the email accounts receiving spam were in fact only tied to their Dropbox accounts, which indicated that the address leak had come from Dropbox itself. Many of those reports came from the company’s international users, including Germany, the U.K. and the Netherlands.

To its credit, Dropbox was quick to respond. Less than 24 hours later, in a message posted to forums, the company said they were bringing in “an outside team of experts” to back up their own security team in the investigation along with help from law enforcement. Today, we received the first round of answers.

The company (via Dropbox’s VP of Engineering, Aditya Agarwal) said in a blog post that its investigation found that the usernames and passwords were in fact stolen and were stolen from third party websites, which were then used to sign in to “a small number of Dropbox accounts.” The company did not cite numbers specifically, so it’s not clear exactly how many accounts were accessed, but the company did say that it has contacted those users and is helping them to further protect their accounts.

The company also said that one of those stolen passwords was used to access a Dropbox employee’s account, which contained a project document with user email addresses. The company believes that “this improper access is what led to the spam.” The company also apologized and said that it has “put additional controls in place to help make sure it doesn’t happen again.”

What is that going to mean?

Dropbox is taking a number of steps, which they laid out in the post. We’ve shared them below:

  • Two-factor authentication, a way to optionally require a unique code in addition to your password when signing in. (Coming in a few weeks)
  • New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
  • A new pagethat lets you examine all active logins to your account.
  • In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a while)

Naturally, it appears that this issue is one in which both sides are somewhat culpable. On its end, Dropbox is taking steps to improve security, and meanwhile, it suggests that users consider coming up with a unique password for each website they use. Reusable passwords, again, are not your friend. As Dropbox points out, “though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk.”

As to the spam controversy, the company did not say if there were any other causes behind this other than just some wayfaring miscreant, hacker-types, because the investigation is still ongoing. But keep in mind that there have been some fairly high-profile hacks and leaks recently, like the one that targeted LinkedIn back in June.

It would not be surprising to learn that Dropbox is essentially the first service to experience a ripple effect from that hack. Given that many people use the same passwords for multiple different accounts, if hackers were able to retrieve passwords from LinkedIn accounts, it wouldn’t be too difficult to gain access to Dropbox accounts.