Dropbox said on Wednesday its investigation of a possible hack attempt, discovered on July 17, did not compromise their systems; instead a hackers gained unauthorized access to employee’s Dropbox account by, likely, using a password recently stolen from other websites.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses,” said a statement on Dropbox’s blog.
Sources close to the matter say it is common for people to reuse the same password for all of the online services they use. High-profile sites like Yahoo! and eHarmony were hacked last month, exposing the details of approximately 400,000 user accounts. It’s possible the employee’s account was among the passwords recently stolen from other websites, hackers took a chance by trying to use the employee’s password, and succeeded.
Dropbox said it believes users email addresses in the document acquired via the Dropbox employee’s account were the ones targeted by the spam messages (unsolicited commercial email) that the users reported receiving when this incident started two weeks ago.
While Dropbox systems were not compromised, Dropbox said it will add new security-related features to their service including a new web page in every user’s account that lists the details of all active logins to their account. Dropbox said it is also working on a two-factor authentication solution that requires two proofs of a user’sidentity when users sign-in.
Some critics said a key aspect of Dropbox security model is flawed – users login to Dropbox using their email address and a password. The critics say Dropbox should require users to login using a username instead of using their email address to significantly lower the possibility of future successful attacks similar to this one.
Dropbox encouraged users of its service to use a different password for all of their online accounts.