Dropbox experienced a security scare, and could have users worried about their online property. (Photo : Dropbox)
Cloud storage service Dropbox has admitted to users it has been hacked with spam notices. The admission comes after users reported an increasing level of spam attacking their accounts.
Most of the spam reports came from users in Germany, the Netherlands, and the United Kingdom.
Dropbox's Vice President of Engineering Aditya Agarwal stated that information, such as usernames and passwords, were stolen from third party websites.
Like Us on Facebook
"We've been working hard to get to the bottom of this," posted Agarwal on the Dropbox Blog. "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts."
Agarwal noted an employee's account was also hacked. He added the employee's account had a project document with user email addresses.
"We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again," said Argarwal.
Dropbox detailed four steps in hopes to avoid a future spam attack:
- Two-factor authentication, a way to optionally require a unique code in addition to your password when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We'll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it's commonly used or hasn't been changed in a while)
Trend Micro's Director of Security Research and Communication Rik Ferguson said criticized the accessibility of getting Dropbox email addresses.
"This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised," said Ferguson. "It is not specified which services they refer to, but again, why?"
"The Dropbox incident underlines the necessity of having different passwords for every website," said Sophos Senior Technology Consultant Graham Cluley to InformationWeek. "As people pile more confidential information onto the Web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."
The bad news for Dropbox is good news for Google's own cloud storage system, Google Drive. Google's cloud service has been integrating Gmail and Google Plus and offering more storage space for new customers.