Cloud-based storage provider Dropbox came clean with more details today about a security breach that led to a spamming campaign.
The company’s investigation into the incident revealed that usernames and passwords stolen from other Websites were used to sign in to a number of Dropbox accounts, including one belonging to a Dropbox employee that contained a “project document” with user email addresses. According to the company, the document is believed to have been used to launch the spam campaign.
Following the breach, Dropbox users in Holland, Germany and the United Kingdom began reporting on a Dropbox user forum that they were receiving spam for gambling sites. The ensuing complaints led to suspicions that Dropbox had been hacked.
In a blog post, Dropbox engineer Aditya Agarwal apologized for the situation and said the company is putting additional controls in place to prevent future breaches. In particular, the company plans to adopt two-factor authentication as an optional way to prove identity when users are signing in. This will be coming in a few weeks.
In addition, the company has added new automated mechanisms to help identify suspicious activity, a new page that lets users examine all active log-ins to their account and required password changes if it is commonly used or hasn’t been changed in a long time.
“At the same time, we strongly recommend you improve your online safety by setting a unique password for each Website you use,” Agarwal blogged. “Though its easy to reuse the same password on different Websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.”
Users whose usernames and passwords were stolen from other Websites have been notified, Agarwal added.
The email addresses on the project document were apparently not obfuscated or encrypted.
This breach illustrates the downside of not having rigorous access controls in place around sensitive data, said Todd Thiemann, senior director of product marketing for Vormetric.
“A document containing lots of customer email addresses would seem to be quite sensitive and require protection,” he said. “So encrypting this file after it leaves the database is a security best practice. Companies need to re-evaluate what constitutes sensitive data. While email addresses may not be regulated like credit card data, the damage caused when these are stolen can be as great [as] or greater than impact associated with stolen credit card numbers.”
The incident also serves as a lesson not to use the same password for multiple sites, said Stephen Cobb, security evangelist at ESET.