A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:
- Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
- New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
- A new page that lets you examine all active logins to your account.
- In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.
If you have any questions or concerns, please contact us at firstname.lastname@example.org. We’re committed to keeping your Dropbox safe and will continue to monitor this situation carefully.