Unsafe password practices cause Dropbox spam scare

Dropbox has confirmed that usernames and passwords stolen from other websites were used to sign in to a small number of Dropbox accounts.

Cloud storage provider Dropbox has confirmed that usernames and passwords stolen from other websites were used to sign in to a small number of Dropbox accounts.

"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," wrote Dropbox engineer Aditya Agarwal in a company blog post.

The company believes this is what led to some users receiving spam at email addresses used only for Dropbox.

"We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again," Agarwal wrote.

Dropbox is taking steps to improve the safety of accounts even if passwords are stolen, including adding two-factor authentication, implementing automated mechanisms to help identify suspicious activity, and setting a new page that lets users see all active logins to their account.

"In some cases, we may require you to change your password. For example, if it’s commonly used or hasn’t been changed in a long time," Agarwal said.

Dropbox also recommended that users improve their online safety by setting a unique password for each website they use.

"Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites," Agarwal said.

The Dropbox incident underlines the necessity of having different passwords for every website, said Graham Cluley, senior technology consultant at security firm Sophos. 

"As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts.  The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves," he said.

"If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," continued Cluley.

 "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage - protecting users who make use of services such as Dropbox."

The news comes as the European Union cybersecurity agency Enisa called on service providers and end-users to work together to protect online identities.

Passwords protect sensitive information, yet in the first half of 2012 alone, data breaches have exposed millions of citizens’ personal data including password information, said the European Network and Information Security Agency.

The organisation has published guidelines on improving password security for online service providers and users.



Hackers reveal 453,000 Yahoo passwords

LinkedIn confirms "some" passwords stolen

Cheap consumer hardware cracks complex passwords in seconds

eHarmony, Last.fm join LinkedIn with password leaks

Should you be worried by stolen LinkedIn passwords?

LinkedIn investigating user account password breach



Guide to managing passwords in the enterprise

Password security best practices: Change passwords to passphrases

Password compliance and password management for PCI DSS

For more security news,sign-up for our security newsletter.

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It is sad to
see something like this happen, but I think this is the type of wake-up call
that they needed to kick the complacent attitude about authentication and
passwords. There continues to remain the need for more preventative measures to
be put in place. For example many of the leading online storage providers are
giving users the perfect balance between security and user experience by
implementing 2FA which allows us to telesign into our accounts. I know some
will claim that the verification process makes things more complicated, but the
slight inconvenience each time you log in is worth the confidence of knowing
your info is secure.  I'm hoping that
more providers start to offer this awesome functionality. This should be a
prerequisite to any system that wants to promote itself as being secure.

Dropbox provides quite a high level of information safety. Like they use their own encryption method, use AES and 256-bit encryption https://utopia.fans/privacy/is-dropbox-private-and-safe-to-use/ But if some authorities will ask for the information of some particular user, they'll pass the information the exact moment. I prefer my data to stay safe in any case. So I'll better look for some other services.