Dropbox To Adopt Two-Factor Authentication After Spam Campaign


Dropbox promises to take action after an employee's stolen password was used in the theft of hundreds of customer email addresses, mostly in Europe, which were later used in a spam campaign for a number of online gambling venues. The company also believes that some of the spam incidents were related to the theft of usernames and passwords from other sites, which were then used to access Dropbox accounts.

The company issued a blog post indicating that a coordinated response is under development. Most notably, Dropbox plans to implement two-factor authentication involving not only the traditional username and password but also a temporary code that would be sent to the user's mobile phone. This feature is expected to become active within the next few weeks.

Two-factor authentication is believed to be poised for increased popularity, given that mobile devices are increasingly being used as the delivery mechanism for the temporary access codes. Prior to that trend, multi-factor authentication technology was limited by issues around the distribution of enabling devices, as well as the costs and maintenance of those devices.

[Related: The Biggest Data Breaches of 2012 (So Far)]

"Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen," said Dropbox engineer Aditya Agarwal on the company's blog.

The company also announced plans to roll out a new Web page that will enable users to track all active logins to their accounts. In addition, recommendations for password changes and other security enhancements will apparently be forthcoming. The post also included common, but useful, conventional wisdom around frequent password changes, the use of different passwords for different accounts and recommended password complexity.

Dropbox reportedly encountered similar issues with spammers earlier this year. A series of incidents involving pharmaceutical sales were reported in March, in which about 1,200 suspicious URLs were identified over a period of two days.

PUBLISHED AUG. 1, 2012