Dropbox Security Update

I realize I am roughly two weeks behind in following up on this story but wanted to make sure people know the latest on the Dropbox spam problem. The last I wrote was that Dropbox had not found any evidence of security breach. On July 31st though Dropbox finally wrote a post on their blog that detailed what they believe has happened. I will sum it up for you if you have not read that post. That usernames and passwords recently stolen from other websites were used to sign in to some Dropbox accounts. In other words it was not Dropbox at fault but rather the fact that other websites had security breaches and people used the same email address and password on those websites as they did on Dropbox.

 

On top of that there was a Dropbox employee whose account was accessed and that employee had a file containing Dropbox users email addresses that was then used to spam Dropbox users. Think about this for a second. This could possible mean that a Dropbox employee did exactly what Dropbox just said other users did, use the same email and password on another website that had a security breach.

As a result Dropbox is going to implement the following:

  • Two-factor authentication,¬†a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in.
  • New automated mechanisms to help identify suspicious activity.
  • A¬†new page¬†that lets you examine all active logins to your account.
  • In some cases, you may have to change your password.

Good for Dropbox to stand up and say something about what has happened, I am not exactly sure that blaming your users and security breaches on other websites are really the best way to go. Perhaps sending out an email to users after news broke of the LinkedIn and Yahoo security breaches to remind users to change their passwords if they used those services might have been helpful. Granted there is no easy way to manage a situation like this, but it is a good reminder to not keep very sensitive information in your Dropbox with out an extra level of encryption on your important files. Just off the top of my head you can check out one of these there easy to use services to add that extra layer of protection. A note about these services. I have not had a chance to try and rate them, just know about them. Perhaps in a future post I will spend some time with each

Another option is to use a service like SpiderOak that has a stronger security model and already offer two factor authentication. Not to mention they don’t user email addresses as usernames and there is no recover password option.

As a reminder it is always a good idea to use a different password on each website, if you are worried about forgetting passwords check out the service LastPass. They offer an excellent browser plugin for remembering usernames and passwords. I personally use it and it is one of the best services I pay for.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Share This