Dropbox has become “problem child” of cloud security

Dropbox, the fast-growing private company that lets you share documents easily online, continues to experience significant security breaches in its service, announcing this time that some user usernames and passwords were stolen “from other websites,” and their accounts accessed.

It also said that an account of one of its employees was broken into, and that it believes user email addresses were stolen from a document accessed from that account.

The news follows two other high-profile instances of security problems at the company. A year ago, Dropbox disclosed that all of its users’ files were publicly accessible for nearly four hours due to a bug in the company’s authentication mechanism. During that time, anyone could access a Dropbox account without using the correct password. And in April, a security hole was discovered in Dropbox’s iOS app, which allowed anyone with physical access to your phone to copy your login credentials — because it stored user login information in unencrypted text files.

It’s a shame, because Dropbox has had amazing momentum in an increasingly competitive space. Dropbox boasts more than 50 million users, double what it had last year, but reports like this could slow it down.

Larger, more conservative companies are more likely to say no to adopting it. Even before the breach last year, the company had announced that it was dedicated to security, so it’s getting hard to take the company seriously.

With this third breach, Dropbox has become a problem child among chief information officers. Already, at our CloudBeat 2011 event last year, Dropbox’s big security snafu in June of that year was one of the most oft-cited examples of the security risks in moving to the cloud. These CIOs are busy scrutinizing cloud services to make sure they are safe for adoption. And by and large, CIOs are giving the green light to applications that are served online, especially if they play safely, and behind the firewall.

To be sure, Dropbox has been pretty clear that it intends to remain focused on viral adoption by consumers and that it isn’t focused on the enterprise. It’s also obvious, though, that many users are adopting Dropbox for use in the workplace (we use Dropbox at VentureBeat, among several other products, including the more enterprise-focused Box, for example). And Dropbox also probably has a Trojan-horse strategy to sneak into the enterprise by way of avid users who lobby their employers to be able to use it.

Regarding the latest breach, the company said someone had stolen usernames and passwords and used them to sign in to a “small number of Dropbox accounts.” The company said it has contacted these users and helped them to secure their accounts. The company had launched investigations into the accounts after some users reported receiving spam. The company said it has put “additional controls in place to help make sure it doesn’t happen again.”

Here’s the full statement:

A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:

• Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
• New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
• A new page that lets you examine all active logins to your account.
• In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.

If you have any questions or concerns, please contact us at support+security@dropbox.com. We’re committed to keeping your Dropbox safe and will continue to monitor this situation carefully.