Confronted with a large number of reports of Dropbox-associated email addresses being targeted by spammers, the cloud storage company brought in “outside experts” to probe the issue earlier this month. Those experts have now concluded their investigation and identified the exact cause behind this entire fiasco.
The probe put together by Dropbox has found that the problem began when usernames and passwords stolen from third-party websites were used to compromise a small number of Dropbox accounts. But things got as bad as they did because one of the accounts compromised was that of an employee and “contained a project document with user email addresses.” The company has announced that it plans to implement a number of security measures to avoid similar embarrassments in the future. These measures include two-factor authentication and a new page to help users keep an eye on active logins (and hopefully an internal mechanism to ensure that employee Dropbox accounts don’t contain unencrypted user data).
“At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use,” Dropbox said in a blog post Tuesday. “ Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.”