Dropbox has finally admitted a security breach, but security features implemented on the back of this breach could lose it customers according to one expert.
Following complaints from a number of customers who were receiving spam at email addresses they only used for the cloud storage service, Dropbox began investigating if there had been a security breach.
It discovered that usernames and password stolen from other websites (Dropbox declined to say which) had been used to access "a small number" of Dropbox accounts. These users have been contacted and their accounts secured, according to Dropbox's statement.
However, one of the compromised Dropbox accounts belonged to a Dropbox employee and contained a project document listing user email addresses. Dropbox believes this "improper access" led to the spam emails being sent. "We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again," Aditya Agarwal said on The Dropbox Blog.
One commenter on the blog post raises the question: "What was a staff member doing with user's email addresses in such a way?"
New security measures
These new measures include two-factor authentication - which will be an optional measure - and will require two proofs of identity, such as your password and a temporary code sent to your phone when signing in.
This rather cumbersome process could put some people off using the service and mean lost customers for Dropbox.
Brian Spector, CEO of online security experts CertiVox, told IBTimes UK: "We are delighted that Dropbox are now considering remedying this weakness using two-factor authentication, but we are also speaking to them about how they are planning to do it. Using one-time codes to mobile phones is cumbersome, and it will lose them customers."
Another measure being implemented by Dropbox to make the site more secure is a new page where you will be able to see all active logins to your account. Dropbox may also get you to change your password from time to time if it feels it's commonly used or hasn't been changed in a long time.
This problem arose because people traditionally use the same password for multiple online accounts, meaning the weakest link in the online chain could grant hackers and/or criminals access to even the most secure online portals.
Spector adds: "On average, each Briton using the internet has 26 different online accounts, so any information obtained is generally good for the other 25 sites too."
The problem, as Spector sees it, is with OAuth, which is an open standard for online authorisation, used by some of the most high-profile online sites, such as Facebook, Google, Tumbr, Twitter and Dropbox.
OAuth allows users to share their personal information and content stored on one site with another site, without having to hand out their credentials, typically supplying username and password tokens instead.
"There is a broader story here about OAuth and the viability of the tokens it uses, because, reading between the lines, the username / account details were lifted through the bearer tokens on third party websites," Spector said.