Dropbox confirms data leak
Cloud storage service provider Dropbox has acknowledged that a file containing private customer data was stolen from the Dropbox account of one of the company's employees and that the information was subsequently used to send out spam messages to users.
In mid-July, a number of Dropbox users complained that they were receiving spam at email addresses used exclusively to sign into the storage service. As it turns out, this was no coincidence – according to Dropbox, an unspecified number of customer email addresses were contained in a "project document" stored in an employee's Dropbox account.
The company says that the data was stolen by an unknown intruder using a password harvested during an attack on another, unnamed web site – the employee had used his Dropbox password for signing into other web services. Dropbox says that the data thieves also accessed "a small number" of other Dropbox accounts in the same way. The company added that it has since contacted users affected by the incident.
Following the data leak, the cloud storage provider has created a new section on the Account Security page that allows users to see what web browsers are currently logged into their account, and has implemented new automated mechanisms to identify suspicious activity. Dropbox says that it also plans to offer a two-factor authentication option in a few weeks' time.
The company didn't say how exactly this option will be implemented, but that users could, for example, receive an SMS text message with a temporary code that must be entered together with the password each time they log in. With this kind of two factor authentication, a potential attacker would then need to know the log-in data and also have access to the user's mobile phone in order to successfully access the account.