Dropbox Confirms Email Addresses Were Pilfered 89
bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses."
This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.
Why are They Lecturing Us About Password Security? (Score:4, Insightful)
Okay so yes it's a good idea to have different passwords for each website, but given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.
And yes, two-factor authentication would be very nice. Please do it using an already-existing system like YubiKey rather than make your own.
Ummm... (Score:4, Insightful)
And why, pray tell, did this dropbox employee have a list of user email accounts stored in his dropbox?
Unless they run things rather differently than everybody else in the universe, user emails aren't exactly zOMG Super Secret; but they tend to reside somewhere in the bowels of the system for mailing-list and password reset purposes handled largely by automated tools, not in list form in human file storage areas. Outside of the relatively small number that might collect during the course of handling support requests or the like, why would an employee have any use for a substantial list of addresses, stored insecurely?
Re:Nice of the hackers to tell us (Score:5, Insightful)
A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.
Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/ [forbes.com]
It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.
It's all just so incredibly sloppy.
Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.
Re:Why are They Lecturing Us About Password Securi (Score:5, Insightful)
The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..
Why in the hell did he have a list of customer email addresses in his account?
Is this a common practice there.. to let employees store copies of customer data all over the place?
I think dropbox has proven repeatedly they really don't care about the security of their customers data.
Re:Nice of the hackers to tell us (Score:4, Insightful)
Another question would be why does an employee have an list of user email addresses stored in their account? If employees can export customer data like that who cares how many factors of authentication they add.