The news that up to 7 million Dropbox usernames and passwords may have been compromised is a good opportunity for businesses to review their use of multi-factor authentication for the online services that they rely on.
At this stage the Dropbox leak appears to be a result of re-use of passwords on multiple sites, not a direct hack of Dropbox itself. It is unfortunately quite common for individuals to sign up to different online services using the same email address and password.
It is possible that an attacker has compromised a third party system, and then used the usernames and passwords obtained from that hack to access Dropbox accounts that use the same login details.
This type of event really highlights the important of using multi-factor authentication for online services whenever possible. This is also sometimes referred to as two-factor or two-step authentication.
For most online services users will log in using their email address and password. When these are the only login details required to gain access to the system there is always the risk that an attacker will discover the credentials and be able to login to that system with your account.
Even when you choose a strong password, such as a complex passphrase made up of a mixture of alphanumeric symbols and other characters, if the password is compromised then the attackers can gain access.
With multi-factor authentication (or MFA) a person can’t login to the system without knowing the username, password, and an additional authentication detail. This additional authentication detail is usually in the form of a temporary code that is provided to the user via text message on their phone, or as a generated code displayed in a smartphone app or security token.
When multi-factor authentication is used, even if an attacker is able to discover the username and password for the account they still can’t login to the system without having access to that additional authentication code.
So in the case of the Dropbox password leak, even if your Dropbox account credentials are exposed in the leak, nobody can use them to login. This gives you time to take steps to further protect your account, for example by changing your password.
For a comprehensive list of online services that support multi-factor authentication check out TwoFactorAuth.org.