After a two-week investigation, Dropbox has acknowledged and confirmed today that it was hacked. The online file storage service confirmed that hackers accessed usernames and passwords from third party sites and then used them to get into Dropbox users' accounts.
It all began a couple of weeks ago, when hundreds of Dropbox users began receiving unsolicited spam emails related to online casinos and gambling sites. When the problem first began earlier in the month, several Dropbox users posted on the company's Web site forum saying they received spam from email addresses only associated with Dropbox. The company got hold on the situation, but by then, 295 people, majority of them coming from Germany, Holland and the U.K., had already posted on the forum.
dropbox confirms it was hacked
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts. A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam," the company wrote in a blog post today.
Dropbox has since beefed up the security controls to avoid a repeat occurrence. The company blog post also revealed the steps Dropbox is taking to keep hackers at bay and keep the users’ accounts safe:
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We'll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it's commonly used or hasn't been changed in a long time)
Apart from beefing up security at its own end, Dropbox has also advised users to avoid using the same password for multiple sites, since it makes one more vulnerable to such attacks. If one site has a security breach, then all accounts of that user could be at risk.
Although Dropbox has finally acknowledged the security breach and taken adequate measures to safeguard the users' confidential data, it's really distheartening to see that it took Dropbox so long to even ascertain and acknowledge that it was hacked. As soon as the users started firing their concern on the Dropbox forum, dropbox began investigating the reason behind the spurt in spam messages, and even hired experts to do so. But later on, a Dropbox forum post declared that there were no intrusions in the internal systems and no unauthorized activity in Dropbox accounts.
The forum post further read, “We wanted to give everyone another update on our investigation into the reports of spam. As of today, we’ve found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts. We’ve reached out to users who’ve reported receiving spam messages and are closely investigating those reports. Security is our top priority and we’ll let you know if we uncover evidence that these email addresses came from Dropbox. Investigations like this can take time and we’re working hard to get to the bottom of this.”