Dropbox have announced that a security breach saw many of their users on the receiving end of spam emails. Following a hack on a third-party website, a Dropbox employee's username and password for the service was exposed, allowing hackers access to that employee's Dropbox account. Contained within the employee's account were project files which included many ordinary Dropbox users' email addresses; email addresses which are now being inundated with spam.
In addition, usernames and passwords stolen in recent hacking incidents on other websites were used to gain access to a number of other Dropbox accounts.
What does it mean for Dropbox users?
Users who have had their emails stolen from Dropbox should expect to be on the receiving end of spam. With those email address now in the public domain, there's nothing Dropbox can do to stop that now.
Users who had their accounts compromised have now been contacted by Dropbox to help them protect their accounts. It may be too late for some though who have had stored data accessed.
This latest incident once again highlights the ramifications for any of us who use the same password for multiple sites. All it takes is for one insecure site to be compromised and the hacker can potentially access a whole host of websites and services which use the same credentials. Do you use the same password for online banking that you've used elsewhere?
Never use the same password twice! If the Dropbox employee had not re-used the same password, Dropbox would not have been compromised in this way. Equally, the other users wouldn't have had their Dropbox accounts accessed by hackers in the same way.
It is difficult though for those unaware of solutions such as my1login to create and then remember a multitude of different passwords, across a multitude of different websites, so it's understandable why re-using passwords is a common insecure practice. It is in instances like these though, where the value of being a my1login member really shows itself. As my1login users, we no longer have to remember our passwords, so we're free to make them different for all of our websites, and we're able use the my1login password generator to make sure they're not only different, but strong and long.
Making our passwords different across all of our sites isolates our exposure should one site be compromised. Making our passwords long and strong, means that even if a website is hacked and the hashed passwords - the way most websites store passwords - are stolen, it is much more difficult for any hacker to get hold of our actual passwords.
- BBC article on the Dropbox breach
- Dropbox's own article on the breach
- my1login article on reusing passwords