Have you noticed an unusual amount of spam pouring into your email inbox? If so, you’re not alone. Dropbox revealed on Tuesday that, earlier this month, an untold number of the cloud storage service’s users reported receiving spam to email addresses only linked to Dropbox. The company says that it has contacted all users whose accounts were compromised, so if you haven’t received a notice, you should be in the clear.
The spamer-hackers were able to access Dropbox user emails in two ways, according to the company: First, “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts,” wrote Aditya Agarwal, Dropbox’s vice president of engineering in a post on the company blog. Second, a “stolen password was also used to access and employee Dropbox account containing a project document with user email addresses.”
“We believe this improper access is what led to the spam,” wrote Agarwal. “We’re sorry about this, and have put addtional controls in place to make sure it doesn’t happen again.”
As Agarwal writes, these “additional controls” include:
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
Agarwal goes on to warn users against using the same password across multiple online accounts — good advice, by any measure. Really, you should never, ever, ever use the same password for many accounts, since the hacking of one account means all other accounts using the same login credentials are also compromised. Agarwal recommends that users check out password protection tools like 1Password, which “can help you manage strong passwords across multiple sites.” Again, solid advice.
The leaked passwords were first reported by Sarah Perez of TechCrunch on July 17, after a number of international users began reporting the appearance of spam in their Dropbox-only email inboxes on the Dropbox forums. Within hours, Dropbox responded to its users, saying that it was “actively investigating your reports.”