Dropbox sends password change notification to some users

In a blog post today, Dropbox's VP of engineering Aditya Agarwal explained that the online storage company is addressing some key security concerns in the wake of some concerning incidents. Some Dropbox users saw a spike in spam messages to their registered email accounts over the past few weeks, which drove an internal investigation.

The spam emails turned out to be the result of a breach of an employee's Dropbox account, which contained a project file with some user contact information. The employee's account info had been stolen from a third-party website that was compromised -- which points out the necessity of having password diversity among your web service accounts, rather than using the same password for all of them.

To help protect against future security issues, Dropbox is implementing some policy and technical changes immediately, and also rolling out others over the next few weeks. Two-factor authentication is one of the future changes, similar to what Google has already implemented for Gmail accounts; users will be able to validate password changes with a separate fact or via a cellphone verification pass.

In the meantime, some Dropbox users who have never changed their password or who have an easily crackable password will be getting email reminders to change their password. These emails may appear suspicious, but they are coming from Dropbox (and you should double-check, should you receive one, that you're directed to a Dropbox reset page). When you pick a new password, you can make it extra secure by using a random generation system like Diceware -- endorsed by the makers of 1Passwordand XKCD alike.

[Source: TUAW]