Unsafe password practices cause Dropbox spam scare

Dropbox has confirmed that usernames and passwords stolen from other websites were used to sign in to a small number of Dropbox accounts.

Cloud storage provider Dropbox has confirmed that usernames and passwords stolen from other websites were used to sign in to a small number of Dropbox accounts.

"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," wrote Dropbox engineer Aditya Agarwal in a company blog post.

The company believes this is what led to some users receiving spam at email addresses used only for Dropbox.

"We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again," Agarwal wrote.

Dropbox is taking steps to improve the safety of accounts even if passwords are stolen, including adding two-factor authentication, implementing automated mechanisms to help identify suspicious activity, and setting a new page that lets users see all active logins to their account.

"In some cases, we may require you to change your password. For example, if it’s commonly used or hasn’t been changed in a long time," Agarwal said.

Dropbox also recommended that users improve their online safety by setting a unique password for each website they use.

"Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites," Agarwal said.

The Dropbox incident underlines the necessity of having different passwords for every website, said Graham Cluley, senior technology consultant at security firm Sophos. 

"As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts.  The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves," he said.

"If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," continued Cluley.

 "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage - protecting users who make use of services such as Dropbox."

The news comes as the European Union cybersecurity agency Enisa called on service providers and end-users to work together to protect online identities.

Passwords protect sensitive information, yet in the first half of 2012 alone, data breaches have exposed millions of citizens’ personal data including password information, said the European Network and Information Security Agency.

The organisation has published guidelines on improving password security for online service providers and users.

 

RELATED CONTENT

Hackers reveal 453,000 Yahoo passwords

LinkedIn confirms "some" passwords stolen

Cheap consumer hardware cracks complex passwords in seconds

eHarmony, Last.fm join LinkedIn with password leaks

Should you be worried by stolen LinkedIn passwords?

LinkedIn investigating user account password breach

 

GUIDES TO BEST PRACTICE

Guide to managing passwords in the enterprise

Password security best practices: Change passwords to passphrases

Password compliance and password management for PCI DSS

For more security news,sign-up for our security newsletter.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

It is sad to
see something like this happen, but I think this is the type of wake-up call
that they needed to kick the complacent attitude about authentication and
passwords. There continues to remain the need for more preventative measures to
be put in place. For example many of the leading online storage providers are
giving users the perfect balance between security and user experience by
implementing 2FA which allows us to telesign into our accounts. I know some
will claim that the verification process makes things more complicated, but the
slight inconvenience each time you log in is worth the confidence of knowing
your info is secure.  I'm hoping that
more providers start to offer this awesome functionality. This should be a
prerequisite to any system that wants to promote itself as being secure.
 

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close