Dropbox is a cloud storage service with a large share of the market both in the US and here in the UK. They recently released details of a security breach that led to lots of its users being sent unsolicited emails. Worryingly the breach came via an employee’s password being used to access their email account and obtain a “document” from a project that contained members email addresses. This document was subsequently copied and the email addresses where then spammed with the unsolicited emails.
Also the company did state that members usernames and password (which had been attained from another website/ service) had also been used to access their drop box accounts as the credentials were the same. It has put in to place new measures to address this security breach.
NEW Security System
Part of the new system uses and automated system to spot suspicious login attempts and general user activity on the site. Coupled with this is a new feature page which allows the member to browse previous sessions and determine whether it was themselves or if they do not recognize the path, they can report a breach.
Once again the company (like many before it) have advised all users to create unique passwords for each internet site that they use (although how likely this goal is remains to be seen).
Another initiative being trialed is the ability for users to elect using their new 2-way authentication, this would involve using both their new highly secure and unique password and an access code being sent to their mobile phone.
The security break in question came to light when literally hundreds if its users complained that they were receiving unsolicited emails to the email address they had used in the sign up process for their dropbox account. Initially a 3rd party security firm were called in to investigate the breach and find the cause. The company refused to reveal the extent of the breach and how many users were affected but its website states that it has over fifty million users, so we can possibly assume that the number was significant.
One top online security firm labelled the breach as a combination of both bad practice within and outside the company itself.
Its users were also quick to question the security practices of the firm with comments on tech blogs like
“why oh why was an employee storing users email addresses in their email account in this fashion”
“If the company has any regard for its members privacy these details would be locked away in a secure database with encryption, not on someone’s outlook!”
This news has been taken as a possible blow to the market share of this company , as both Microsoft and Google look to strengthen their own offerings in this space in the form of SkyDrive and Google Drive respectively.
We shall see, only time will tell if users deem this security failing to be worth moving their data to an alternative provider.