Dropbox has confirmed yesterday that they had a security breach and that some account names and passwords have been stolen.
The cloud storage company were alerted to the issue when they started getting emails from some users about spam they were receiving at email addresses used only for Dropbox.
Since then Dropbox have started an investigation and have today announced that there was a hack to the system and that usernames and passwords had been stolen from other websites used to sign in to “a small number” of Dropbox accounts.
Most of the people affected by the hack are in Europe, with the company stating that the UK, Germany, and Holland were all places that have been most affected.
The issue has come from a hack within a hack, as the breach had occurred to a Dropbox employee’s account, of which documents containing user email addresses were stolen and therefore spam has been sent via this breach.
One stolen password was also used to access an employee’s Dropbox account, which unfortunately contained a project document revealing user email addresses – hence the spam.
Dropbox have apologised for the hack and stated:
“We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”
Additionally Dropbox has announced some new security measures to keep users safe including a new two-factor authentication system and new automated mechanisms to help identify suspicious activity.
Dropbox has also suggested that users do the following to ensure the security for their account is at its optimum:
- Change your Dropbox passwords from time to time
- Use a different password for every website
- Tools like 1Password can help you manage strong passwords across multiple sites
If you have been affected by the hack then change your Dropbox password, and make it extra secure as soon as possible.
Check out the full statement form Dropbox below:
[spoiler]
A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:
Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.
If you have any questions or concerns, please contact us at support+security@dropbox.com. We’re committed to keeping your Dropbox safe and will continue to monitor this situation carefully.
[/spoiler]
Let us know your thoughts on our comments below or via our @Gadget_Helpline Twitter page or Official Facebook group.