Over the last few weeks an attacker used a collection of illicitly obtained usernames and passwords to infiltrate a number of Dropbox accounts, including one belonging to a Dropbox employee. The usernames and passwords were stolen from other, third-party websites, Dropbox officials said, finally confirming the breach, which had been rumored for several weeks.
The company’s admission follows a series of customer complaints earlier this month that email addresses they used only for Dropbox were being targeted by gambling and casino website spam. Dropbox claimed in mid-July it hadn’t seen reports of unauthorized activity but that it had brought in “a team of outside experts” to help investigate the spam that was largely affecting users in Germany and the UK.
The company believes the spam was triggered when the employee’s account, which contained a project document with user email addresses, was raided, according to an analysis published on the company’s blog yesterday.
To address the issue, the San Francisco-based company also announced plans to implement two-factor authentication – where users log-in using their password and a code sent to their phone – over the next few weeks.
Dropbox also plans to launch an automated mechanism it can use to detect suspicious activity, a page to let users see all active logins to their account and perhaps even forcing the occasional password change.
The breach recalls the hack on social network LinkedIn in early June that spilled over six million users’ hashed, unsalted passwords. Those credentials made their way around the Internet quickly, affecting users who used the same logins on dating site eHarmony and music streaming site Last.fm.