Dropbox, a file sharing service, confirmed on Tuesday about a security breach that compromised many Dropbox accounts.
Aditya Agarwal, VP of engineering at Dropbox, stated in a blog post, “ A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update. Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.”
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses,” said Agarwal. “We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”
To address the security issues, Dropbox has suggested following steps to Dropbox accounts (even the one whose password got stolen):
- Two-factor authentication will be introduced in a few weeks. With this, a user will require two proofs of identity (such as their password and a temporary code sent to their phone) when signing in.
- They will continue adding new automated mechanisms to help identify suspicious activity.
- Users can examine all active logins to their account through a new page.
In addition to these, Dropbox also suggested users to change their password if it is commonly used by them or hasn’t been changed from a long time. It also recommended to users to set a unique password for each website they use with tools like 1Password that can help in managing strong passwords across multiple sites.
The users can raise their concerns at firstname.lastname@example.org.