“Several weeks ago, reports started to trickle out that a number of Dropbox users were under attack from spam,” Rip Empson reports for TechCrunch.
“Since then, Dropbox has been investigating those attacks (with some help from a third-party) and today gave the first update on the progress, saying that some accounts were indeed accessed by hackers, but that it is now adding two-factor authentication and other security features to prevent further problems,” Empson reports. “The company (via Dropbox’s VP of Engineering, Aditya Agarwal) said in a blog post that its investigation found that the usernames and passwords were in fact stolen and were stolen from third party websites, which were then used to sign in to ‘a small number of Dropbox accounts.’ The company did not cite numbers specifically, so it’s not clear exactly how many accounts were accessed, but the company did say that it has contacted those users and is helping them to further protect their accounts.”
Empson reports, “The company also said that one of those stolen passwords was used to access a Dropbox employee’s account, which contained a project document with user email addresses. The company believes that “this improper access is what led to the spam.” The company also apologized and said that it has ‘put additional controls in place to help make sure it doesn’t happen again.'”
Read more in the full article here.
[Thanks to MacDailyNews Reader “Lynn Weiler” for the heads up.]
“The company also said that one of those stolen passwords was used to access a Dropbox employee’s account, which contained a project document with user email addresses. ”
That is NOT cool. I don’t like the idea that my email address is being stored in some random employee’s “project document” without any further controls. Glad to hear that added measures are being taken to prevent this, but it never should have happened in the first place.
If I had to guess, it was probably against policy for the employee to have that document in his/her Dropbox.
People don’t often follow proper protocol. If you’ve ever worked in IT Support, you’ll know that it happens all the time (people storing documents on the local machine instead of the server, then whining when their hard drive crashes is quite common). Nothing you can do about an ignorant/rogue employee.
The cyber cat and mouse game continues.
it’s not clear exactly how many accounts were accessed
And that’s why I encrypt everything inside my Dropbox. 😀
That’s why I don’t keep anything sensitive in my Dropbox!
2nd that.
1password can store my passwords in dropbox… No thanks.
I use Dropbox a lot, but not for anything “sensitive”.
Same with Evernote.. Their tos even says they can look at your files. (it’s why lawyers dont use Evernote)
After last year’s embarrassing data breaches, Dropbox promised to implement additional safeguards “to prevent this from happening again.” Whoops, it just happened again.
here are my thoughts…
http://jacksonshaw.blogspot.ca/2012/08/will-third-time-be-charm-for-dropbox.html