Dropbox is the latest victim to announce that a third party (Snapchat was last week) integration caused a ton of their usernames and passwords to be leaked on Pastebin. At this point, most of our super-useful cloud services (Evernote, Twitter, Facebook, Google, and Dropbox to name a few) all have the ability to turn on some kind of stepped-up authentication. Some of these use Google Authenticator, which couldn’t be any easier to use than it already is (probably).
So after you go change your Dropbox password (to something unique, not used on any other website), take a few moments to step up your authentication with 2-factor authentication. It will only take you a few minutes, and it will provide much peace-of-mind to know that someone will require more than just your password to get access to your stuff. Below are some links to set up stepped-up (not all are true 2-factor) authentication on your most popular cloud services:
- Dropbox
- GoDaddy
- WordPress
- Paypal
- General post on how to do this with popular sites (good reference)
Once you are done with Dropbox, consider stepping up your authentication schemes on the rest of your services. Also, urge your providers to support third party authenticators NOT tied to SMS including U2F and FIDO2!
Update 10/2015: Check out this great resource on Stop Think Connect’s website for 2-factor authentication!
Update 12/2020: Google updated their Authenticator app so that you can transfer your keys from one phone to the next! This is a HUGE deal as it was one of the biggest problems with the Google Authenticator App on iPhone. Details here.
Update 05/2022: Jack O’Carroll reached out from Daito and pointed out that an older link didn’t work. You can get an idea about what kinds of sites offer MFA here, and you can also check other places like Yubico’s list for FIDO authenticators.
FYI: If you are reading this post sometime in the future, keep in mind that some of these links may change. Just drop “enable 2-factor auth in X” in your nearest search engine, where X is the service for which you are enabling it. If it is available, you are most likely going to find it that way. Past Brando apologizes for Future You’s plight.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Pushing Vendors to Abandon SMS