I hope Dropbox uses google's authenticator. It supports multiple accounts and won't clutter up my phone.<p><a href="http://code.google.com/p/google-authenticator/" rel="nofollow">http://code.google.com/p/google-authenticator/</a><p>Their "Such as" example makes it seem they only decided to use 2-factor but haven't chosen an implementation yet.
Good, solid response to the intrusion. I'm particularly happy about the two-factor opportunity. I have no problem re-authenticating every 60-90 days with an SMS sent to my phone, and _definitely_ want any new system to be two-factored before having access to my Dropbox.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses."<p>I see two ways to read this.<p>a) An employee happened to have a personal Dropbox account, and it was that personal account that was hacked, in exactly the same manner as the other accounts referenced. The employee probably used a different password on Dropbox's internal systems, and as a result there was no internal breach.<p>b) An employee account for an internal Dropbox system was hacked, and this internal account allowed the attacker to access the project file. In this scenario, even though Dropbox made no specific comments to this effect, we can assume that the attacker may have obtained access to Dropbox's internal networks, so who knows what they could have made off with.<p>It makes a huge amount of difference to me which of those two readings actually took place. In scenario (a), this all boils down to users (including one particular employee) using the same password on too many sites. In scenario (b), Dropbox could be hiding a much larger breach.
I really hope they don't make 2fa mandatory. I hate most 2fa systems I've seen (I use Google Authenticator for one gmail account I have, and it makes life even more of a pain than it needs to, even just on Google properties). Having to reauth ~6 devices every month is obnoxious, and I already have a perfectly good password manager with long random per-site passphrases, plus secure storage of my key file and a strong memorized passphrase for it, unlocking sets of passwords only on certain machines. 2fa, particularly a naive version involving SMS or telcos, would make my security worse.
> In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)<p>This is ambiguous...by "commonly used" do they mean 1) I'm logging in with my password frequently or 2) my password itself is a commonly used password? I'm assuming (and praying!) they mean the former since the latter would mean they're storing my password in plaintext.<p>UPDATE: Dropbox doesn't store in plaintext. I was incorrect to assume these were the only two possibilities. Confer child comments.
I'm curious who all received this email? Was it sent to the entire user base? If not, what selection criteria did they use?<p>Everyone I've talked to seems to have received the "reset your password" email. I'm quite curious because I'm certain (up until now) that the password I used for Dropbox was both (a) not commonly used and (b) had been changed recently and (c) not leaked anywhere else (to the best of my knowledge).
One of the more glaring security issues with Dropbox, is the way they are handling 3rd party integration.<p>Giving full access to some random new startup or app is NOT cool. Sure I don't <i>have</i> to, but people also like to try new stuff, and the integration is half the reason for using cloud services in the first place.<p>In fact this really applies to all 'platform' plays facebook, linkedin etc. Rather request minimum priviledges to inter-operate or authenticate, rather than sweeping authorizations.
When are email addresses going to be considered something that should be protected as well. Obviously you can't one-way hash these, but you can secure them, and definitely not leave them in project documents.
"In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)"<p>Commonly used? What do they mean by that? Aren't they supposed not to know my password?