Dropbox confirms it got hacked, will offer two-factor authentication

<i>&#62; It turns out a Dropbox employee’s account was hacked, allowing access to user e-mail addresses.</i><p>This is misleading.<p><i>&#62; Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter.</i><p>Unrelated how? What I read was: "Our investigation found that usernames and passwords recently stolen from other websites... A stolen password was also used to access an employee Dropbox account"<p>This article dangerously leaves the impression that an intrusion was made into Dropbox's system to access the employee's account, and possibly an admin interface. In reality Dropbox let a spammer with a valid email and password look at someone's files.

I wish websites with user accounts would offer the option to "login via email" - as in you'd type in your username (or preferably your email) and maybe a captcha and then you'd login by clicking a link it sends via email afterwards. Ideally having a password associated with the account at all would be optional.<p>I have a Gmail tab opened just about 100% of the time I'm on the computer, so this would be very convenient for me as an alternative to having to remember passwords for sites that I visit once a month or less (and end up having to get a "password reset" link via email every time I log in anyway), and then I'd only have to keep my Gmail account secure (which I do via 2 factor).

Dropbox did <i>not</i> get hacked. One of their employees used the same password on multiple other sites, and one of <i>those</i> got hacked. This is awful journalism.

Meh. This has already been posted: <a href="http://news.ycombinator.com/item?id=4320429" rel="nofollow">http://news.ycombinator.com/item?id=4320429</a><p>Also, kindly avoid the linkbait title, dropbox did not get hacked, some of its users' account credentials were compromised on other sites.

Most worrying quote for me:<p><i>Dropbox today said a stolen password was "used to access an employee Dropbox account containing a project document with user email addresses."</i><p>(What else is being left around in data dumps?)

IMHO confirms this incident the value of having an individual mail address for each site, service etc.<p>Gmail has allowed for such individual mail addresses for years:<p>username+loremipsum@gmail.com<p>Example:<p>johndoe+dropboxcom@gmail.com<p>Mails addressed to johndoe+dropboxcom@gmail.com will be delivered to johndoe@gmail.com. They are easy to identify, filter etc.

Very happy to hear they are planning to start offering two-factoring authentication. Hopefully something that works with Google Authenticator.<p>For client side encryption I have good experiences from BoxCryptor on Windows.

Maybe they should offer client side encryption. You know, the kind that's not reversible on their side of things.

Is it just me or has there been a lot of security mishaps like this for various high-profile services? LinkedIn was a victim on a much larger extent not to long ago. This is becoming ridiculous.

The most annoying part is the disingenuous email we all received tonight.<p><i>Recently, passwords have been stolen from some internet services. We've reset your password.</i><p>I'd have been shocked, but ultimately more respectful of:<p><i>We've had a security violation. You can read about it here. Your account wasn't affected, but we're resetting everyone's password just in case. So sorry about this.</i>

It disappoints me that a Dropbox employee might be using the same password for a work account and anything not work related. It's bad enough that they might re-use passwords internally, but I find that understandable.<p>However, using a work e-mail and the password you use at work on someone else's system was stupid. You can have faith in your own security measures, but not anyone else's. If you're going to re-use passwords, at least have a work one and an everything else one.

I believe your dropbox needs to be secure as your email account because it deals with storing your personal data.So offering 2 factor authentication is a step in the right direction, like what gmail has.<p>Other than that dropbox can't do much about people using the same passwords for different sites or social engineering attacks. You can educate and warn people about it, but it's ultimately up to the user to follow through.

Not surprising. Remember, we're talking about a service that at times lets anyone login to another user's account without a password.

To increase security you can enable "email me when a new computer or app is linked to my account" in the account settings.<p>It's not much, but at least you'll be notified when someone syncs their computer with your dropbox or adds your dropbox to their phone.

That's why client-side encryption is useful, regardless of what some "security researchers" self-servingly say.