Dropbox confirms security breach, reveals new strategy for account protection

1 Aug 2012

Dropbox has updated its security and added new features in response to a security breach that was discovered a few weeks ago when some users alerted Dropbox that they were receiving spam to email addresses used only for Dropbox.

The cloud storage provider launched an investigation and discovered that some usernames and passwords for its members had been stolen and used to sign into accounts. Unluckily, one of these passwords belonged to an employee of Dropbox, giving hackers access to a Dropbox account that contained a document with user email addresses, which explains the spam complaints.

Dropbox contacted the affected users to help them to protect their accounts and will be implementing new features to enhance security going forward. These include automated mechanisms to spot suspicious activity, a new Security tab where users can check all logins to their accounts, and optional two-factor authentication, which requires two proofs on sign in, such as a password and temporary code sent to a user’s phone.

Keep data secure in the cloud

As follows any security breach, Dropbox is advising users to set a unique password for their accounts that isn’t replicated on other sites they use. “The Dropbox incident underlines the necessity of having different passwords for every website,” commented Graham Cluley, senior technology consultant at Sophos.

“As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves.”

Cluley advises that users encrypt any sensitive data they intend to store on Dropbox. “That way anyone who raids your account won’t be able to make sense of what you have stashed in the cloud anyway.”

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.

editorial@siliconrepublic.com