Yesterday Dropbox gave its verdict on the situation. It hadn’t been hacked in the traditional sense, but had suffered from the knock-on effect of other website breaches. “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts,” announced Aditya Agarwal on the company blog. This may indeed be the first documented proof of what security professionals have long warned: don’t re-use passwords for multiple accounts, because if one account is breached, all are compromised.
The problem in this case, however, is that the spammers got lucky. One of the accounts they were able to access was that of a Dropbox employee – and one of the files they found was “a project document with user email addresses.” Dropbox doesn’t say what the file was for, nor how many user addresses were contained – nor does it make clear whether the users’ passwords were also included in the file. However, assuming that the file is still available to Dropbox, it does at least know precisely which users are at risk and is able to contact them.
In fairness to the company, it reacted swiftly. Within 24 hours of the first reports appearing, it announced on its user forum that it had “also brought in a team of outside experts to make sure we leave no stone unturned;” adding that a short outage at around the same time “was incidental and not caused by any external factor or third party.”
Now it has announced new features to increase users’ security. The most important of these will be optional two-factor authentication at sign-in, “such as your password and a temporary code sent to your phone,” it says. Internally, the company is adding new “automated mechanisms to help identify suspicious activity,” and it says it may require users with common or long-used and unchanged passwords to change them.
Finally, a particularly useful new feature is a ‘security’ page added to users’ account settings. This lists the devices that have access to the user’s account and when they last used that access; and all browsers currently logged into the account.