Dropbox passwords were leaked from thirdparty sites

Dropbox has finally offered an official statement about the odd spam some of its users started receiving last week. Usernames and passwords were indeed pilfered by hackers — but not from Dropbox itself. According to the company, the credentials were stolen from a handful of “other websites,” and many of the affected accounts were ultimately compromised because users failed to select a unique password for their Dropbox accounts.Passwords are only part of the puzzle, of course. Where did those responsible for the breach find all the email addresses? It turns out that one Dropbox staff member was re-using a password, too. The contents of that employee’s Dropbox were accessed, and that included an internal project document with user email addresses stored in it.You can’t necessarily blame Dropbox if passwords were stolen from some other site. You can’t blame them for users choosing to re-use passwords. But the company certainly needs to educate its staff about the importance of using unique passwords — particularly when their Dropbox stores contain any users’ private data. It might also be a good idea if such documents were encrypted before they were pushed to the cloud — just in case one did happen to get stolen.On a good note, today’s announcement spells out some much-needed security improvements that are coming soon. Dropbox will finally be adding two-factor authentication, which will make it much more difficult for a breach like this to happen in the future — provided, of course, that users actually activate the feature.Dropbox is also implementing a system that continuously checks for suspicious account activity and a new password-checking mechanism. If your password is commonly used or has never been changed, Dropbox may force you to change it. And, just like Google does with Gmail, Dropbox will provide a page where users can check all recent account activity themselves.More at Dropbox read more

Continue Reading