Complaints over the past several weeks from Dropbox users whose email addresses have been targeted with spam have finally been answered by the company, which has admitted the possibility that an employee's company email was hacked, and a list of Dropbox user information was taken and targeted by rogue marketers.
In light of recent attacks on web services, the most notable being the theft of millions of LinkedIn's passwords in June, it was perturbing to some that Dropbox has only now decided to introduce two-factor authentication.
SafeNet EMEA vice president Gary Clark told Computing that the apparent lack of complexity in Dropbox's authentication systems was inexcusable.
"It's good to see that Dropbox has done something about this security breach, but it shouldn't have happened in the first place," said Clark. "The bigger surprise here was that Dropbox didn't seem to have had any two-factor authentication in place at the time of the incident. This could have mitigated the risk of a password being stolen.
"As this incident clearly shows, password authentication is not an effective approach to securing access to sensitive data as login details could be easily stolen or compromised," continued Clark.
"What's needed is multi-factor authentication that adds an additional layer of protection and requires password identification to be accompanied by token verification or other means for authentication to ensure that only trusted users are gaining access to the system."
According to the company's blog, Dropbox is introducing "in a few weeks" two-factor authentication, which will demand the usual login password as well as a new factor, "such as" temporary code sent to a phone.
Automated "suspicious activity" monitors will also be introduced and, as a last resort, each user will also soon be able to monitor a feed of activity on their account to effectively police it themselves should the need arise.
"With more and more personal information being stored online or in the cloud, data integrity becomes an increasingly important asset for brands," said Clark. "Once consumers' trust has been lost, the reputational damage could be detrimental for the business.
"Data protection needs to be taken seriously and online brands like Dropbox should be at the forefront of applying the highest security standards when handling information entrusted by their customers," he concluded.