The online file storage, Dropbox confirms that usernames and passwords were stolen from third party Web sites and then used to access Dropbox accounts.
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts,” the company wrote in a blog post today. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam.”
According to the company blog post, here are some of the steps it is taking:
Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
A new page that lets you examine all active logins to your account.
In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
The file storage service also recommends that users avoid using the same password on multiple sites, since it means that if one site has a security breach then all accounts could be at risk. Few websites was hacked this year such as Yahoo and Linkedln.