Forgot your password?
typodupeerror
Cloud Security Spam

Dropbox Confirms Email Addresses Were Pilfered 89

Posted by Unknown Lamer
from the three-factor-auth-coming-to-a-store-near-you dept.
bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.
This discussion has been archived. No new comments can be posted.

Dropbox Confirms Email Addresses Were Pilfered

Comments Filter:
  • by MrEricSir (398214) on Wednesday August 01, 2012 @09:49AM (#40841641) Homepage

    In so many of these cases, the only reason anyone finds out that a site or service was hacked was that the hackers were nice enough to brag about it in public or leave some kind of obvious trail.

    It makes one wonder: how much black hat hacking goes undetected? A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

    • by evilRhino (638506) on Wednesday August 01, 2012 @10:03AM (#40841819)
      Actually, the hackers didn't tell anyone. If people hadn't set up specific email addresses for their dropbox account, checked these boxes for mail, and reported spam, this might have never been discovered.
      • by Rob Riggs (6418)
        I had the same problem with United Airlines about a decade ago. Just about every company I deal with gets their own email address. I started getting spam to the account I used for United. They were actually pretty good about responding when the abuse was brought to their attention. IIRC they traced it back to an email service vendor.
    • by rgbrenner (317308) on Wednesday August 01, 2012 @10:19AM (#40842025)

      A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

      Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/ [forbes.com]

      It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.

      It's all just so incredibly sloppy.

      Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.

      • by Glendale2x (210533) <slashdot@NOSpaM.ninjamonkey.us> on Wednesday August 01, 2012 @10:38AM (#40842269) Homepage

        Another question would be why does an employee have an list of user email addresses stored in their account? If employees can export customer data like that who cares how many factors of authentication they add.

        • by AlecC (512609)

          Presumably because the had received and handled emails from users. You don't need to "export" the email address, you just need to be the person designated to handle a customer issue. Their email address then goes to your addressbook, and anybody who hacks your account can read your addressbook.

      • by AmiMoJo (196126)

        I have no idea how can anyone trust them with their data.

        Who says we do? Truecrypt container FTW.

      • If your files are encrypted client side it doesn't matter what they do with your data as long as you can pull it back down.
        strong encryption means you don't have to trust anyone*.
        (*as long as you are the only one who knows the password)

      • by Sarten-X (1102295)

        I have no idea how can anyone trust them with their data.

        The vast majority of the population either doesn't care about their data security, or doesn't know enough about Dropbox's shortcomings to be concerned. As for myself, my most recent use of dropbox was to synchronize work on a group project. We had one team at remote locations uploading data, and another two teams retrieving the data and processing it. All our data was practically worthless to anyone else, and not too private to us.

        Dropbox operates very much like a real physical dropbox: You can stick stuff

    • by JoshuaZ (1134087)
      The point about small companies is valid, but there's probably not that much malicious hacking directed at small companies. If the companies are that small, there's not that much payoff to the hackers.
  • by Anonymous Coward

    OMG my mail has been ... what? pilfered? ...

    • I, and tens of thousands of others, learned what pilfered was back in 7th grade playing mystery at marple manor on the c64. You are down a point on geek cred now, thanks, drive through.
  • To top it all the password change section of their website is down (wanted to change my password just in case).

  • by McDee (105077) on Wednesday August 01, 2012 @10:03AM (#40841823) Homepage

    Okay so yes it's a good idea to have different passwords for each website, but given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    And yes, two-factor authentication would be very nice. Please do it using an already-existing system like YubiKey rather than make your own.

    • by Captain Hook (923766) on Wednesday August 01, 2012 @10:22AM (#40842067)

      given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

      The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.

      When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.

      They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.

      • by McDee (105077)

        Yeah I get what happened, but then that's an internal issue for Dropbox. Putting it up as part of their explanation for what happened just seems like a diversionary tactic (everyone thinks "ooh I use the same password in different places, maybe it's partly my fault" as opposed to "Dropbox have some really bad security policies in place, I wonder how much more of my information is sitting in Dropbox employees' personal stashes?")

        • by BronsCon (927697)

          Diversionary tactic or not, how many Dropbox users would understand, or even care about, the privacy implications of Dropbox's security policies? I'm guessing just the ones in this thread, so, by far, the minority. What the email they sent out (I got one, I've read it, I know what it says) does, that you're ignoring, is educate users who don't know better, including the employee whose account was hacked.

          Now, I'm not supporting their securfity practices; certainly, that information should not have been store

    • by rgbrenner (317308) on Wednesday August 01, 2012 @10:23AM (#40842077)

      The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..

      Why in the hell did he have a list of customer email addresses in his account?

      Is this a common practice there.. to let employees store copies of customer data all over the place?

      I think dropbox has proven repeatedly they really don't care about the security of their customers data.

    • by plover (150551) *

      The lecture is "whoops, we just learned that we got hacked this way, just like everyone else said would happen about 10 years ago, so we're passing the lesson onwards to you."

      The real takeaway is "we are about 10 years behind everyone else in security." Which is a shame, because I really like Dropbox.

      But it's like using any service provider - you're putting your eggs in someone else's basket. So when they trip and drop them, don't act all surprised and outraged, because you are the one who chose to use th

      • by BronsCon (927697)
        Who said they don't already have a policy against using the same password in multiple places? The problem is that, whether they have such a policy or not, it's unenforceable.
        • by plover (150551) *

          It's enforceable, just not technically. (If it were technically possible, they could automate it.) Have a corporate policy that says "Thou shalt not use thy corporate password outside of the corporation's computer systems, or thou shalt be fired." Then when a publicly visible violation occurs, you invoke the penalty clause in a public fashion, so that everyone can see you take the policy very seriously.

          Ask the Apple guy who lost the prototype iPhone 4 about the experience. Then ask a current Apple emplo

          • by BronsCon (927697)

            Have a corporate policy that says "Thou shalt not use thy corporate password outside of the corporation's computer systems, or thou shalt be fired." Then when a publicly visible violation occurs, you invoke the penalty clause in a public fashion, so that everyone can see you take the policy very seriously.

            Mhm... One flaw...

            It's heartless and ugly and cruel...

            ...and it requires one user to violate it before it becomes an effective deterrent. Even then, it only serves as a warning to those presently employed; n00bs won't have gotten the message.

    • I'm a huge fan of Google's. I have it installed on my phone, tablet and iPod touch. If I lose one I can revoke that authentication. I have been out at a friend's house and couldn't login once but the security benefits outweigh any issues I've ever had with it. Anytime I login from a non-standard computer I type in a generated number.

  • by Anonymous Coward

    i signed up with them and immediately got a bunch of bogus "job offer" spam, luckily google filtered it all out but it's not cool man. stackoverflow claims to be a geeky site, how do they let that happen?

    • How do you know it was dropbox that let your address out?

      I use spamgourmet [spamgourmet.com] to create unique email addresses for every site that wants my email address. I've used this for nearly 10 years and have created 616 different email addresses. The one I used for dropbox has never received spam, but I have gotten spam on the addresses I created for a samsclub rebate, and for the email address I used to make an account with Sony Online Entertainment, and on a few various other websites. These types of database crack

  • by Anonymous Coward

    Ok, great, you move to 2 factor authentication and the mean bad guys can't login as an employee anymore. But what if the employee accidentally copies that or something equally sensitive to a public folder? Or what if they get fished into browsing to a malicious url with an exploit that is able to get at that file somehow?

    Also, what the HELL was any employee doing with a copy of any type of data for your user base in a dropbox in the first place? That stuff should be locked away tightly in a database in a wa

    • by kaushik (158328)

      Companies do try in earnest. I'd be willing to admit that bigger companies probably try a lot harder. Firms like Ebay are constantly training (and retraining) their employees on social engineering, document security, the risks of transferable media (e.g. USB drives), etc.

      However, it is practically impossible for a company to put bulletproof safeguards around things like:

      + Laziness (opting for convenience vs. security)
      + Ignorance
      + Malice (intentional compromise of information)
      + Plain old human error

      So the

      • by dave562 (969951)

        ...When they take the final step and modify their Acceptable Use Policy to include termination for those who violate the policy, and then actively enforce it.

        We deal with highly confidential and sensitive information all the time, including personally identifiable information. Everyone understands the consequences of trying to circumvent the controls that have been put in place on the systems. In this economy, the few of us who are fortunate enough to have a job are not going to throw them away.

        The only +

  • Ummm... (Score:4, Insightful)

    by fuzzyfuzzyfungus (1223518) on Wednesday August 01, 2012 @10:16AM (#40841983) Journal

    And why, pray tell, did this dropbox employee have a list of user email accounts stored in his dropbox?

    Unless they run things rather differently than everybody else in the universe, user emails aren't exactly zOMG Super Secret; but they tend to reside somewhere in the bowels of the system for mailing-list and password reset purposes handled largely by automated tools, not in list form in human file storage areas. Outside of the relatively small number that might collect during the course of handling support requests or the like, why would an employee have any use for a substantial list of addresses, stored insecurely?

    • by Anonymous Coward

      Not to defend Dropbox, but over my time as a maintenance programmer at agencies, I've routinely had to export email addresses from user account lists so they could be imported into third party mailing systems for newsletter runs etc - sometimes even large companies don't do all of this inhouse, especially if they are involving a dedicated advertising agency thats doing complicated AB testing or targeted advertising.

      Infact, right this second I have email addresses (infact, significant demographic and persona

    • by deroby (568773)

      I haven't read the reports / blogs / etc... yet, but I can come up with plenty of reasons to have a list of email addresses on my system. It might be I work for marketing and need to send out some kind of mailing. I bet there are many tools out there that will take simple text-files as input for the emails. Another reason might be that they were using the list to transfer data to some test-environment and rather extracted it once into a text-file and then many times into the dev-environments rather than doi

    • by jbolden (176878)

      email accounts, often act as a proxy for a member identifier / account identifier. They aren't perfectly unique in either direction. Sometimes multiple people share an
      email but then they are sharing an account; sometimes the same person has multiple emails but then effectively that person is acting like multiple people.

      For most companies the majority of their middleware are desktop productivity applications like Access combined with a semi skilled office worker. A file gets pulled from one server, manipu

  • "This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication."

    Two-factor authentication? WTF?! Why not just sack the luddite and his nearest boss?

    • Why not just sack the luddite and his nearest boss?

      If you don't sack at least a VP you don't even get management's attention on the prevention of similar nonsense. Where were the business processes to keep the luddite away from customer data?

  • by dbIII (701233) on Wednesday August 01, 2012 @10:36AM (#40842251)
    You'd think at least the dropbox people would be aware of how insecure dropbox is.
    You let somebody in and they can always get in - changing the password doesn't change the key and only gives the illusion that you are locking people out.
    • No - you let someone in and they can get in until you unlink their device.

      Which is trivial to do from the web interface.

  • Dropbox should definitely take security seriously being a cloud based storage solution and all, but lets face it - any online account is vulnerable to this same type of attack. I use Dropbox and I love it. This little breach will not scare me away. How many people have bad run in's with their bank accounts being hacked and money siphoned out to who knows where? That is something to worry about!
    • That is just it, cloud services are inherently insecure. the trade off comes with convenience, no hardware to fiddle with no set up just write a check every month.

  • "To prevent future incidents, Dropbox is moving toward two-factor authentication." How does "moving" toward two-factor mean anything. Heck, I can say I'm moving toward 4 factor authentication (I am, I know, I have, I drank?) to prevent future incidents, but that doesn't mean anything. It's like saying the Queen of England can die as early as today. I hate this kind of news, and if Dropbox wants to repair their reputation for those of us in the security community they need to do a better job of reducing thei
  • For those that don't know, there is a simple and fantastic service called SpamGourmet. You can create disposable addresses on the fly, control how many emails they accept, etc.

    http://spamgourmet.com/ [spamgourmet.com]

  • ... for taking the problem seriously. I've been contacting folks lately when my unique e-mail addresses are compromised. Most never write back. I got a call back from the TiresByWeb folks, which seemed promising, but their IT guy told me that it was impossible, that the spammers must have guessed the address, and that they don't want to have me as a customer anymore. Your call if you want to ever hand them credit card information in the future.

    • by jroysdon (201893)

      Well, if was dropbox@yourdomain.com, I could see that argument. I started using sitename.YYYYMMDD@mydomain.com to prove beyond the shadow of a doubt. As I my own mail servers, either the recipient, one of our ISPs, or one inbetween would have had to skimmed the email address. I've had a dozen or so sites leak these addresses. If I don't need them, I just block the aliases on my server. If I need them (domain registrar, etc.), I just bump the date, make sure I get the change confirmation email, and then

      • Well, if was dropbox@yourdomain.com, I could see that argument

        yeah, not quite that generic, and only that one site's address got spam, and it was a vendor I had a business relationship with.

        sitename.YYYYMMDD@mydomain.com

        Good thought. Now that I'm using LastPass this becomes feasible for me too. Thanks - I'll start doing that.

  • For years, service providers have been beating up their customers to get them to use secure passwords, but time after time, it turns out that the service providers are the worst security offenders.

    What is it going to take to get the services to take security seriously?

    It's not that hard: Build a dedicated authentication server. Account names and passwords (preferably hashed) are stored there, and NOT in any other database on any other server owned by the service. The authentication server acts as a near bla

  • Security should be a part of service providers core Philosophy; and If security isn’t part of the cloud DNA, good luck bolting it on later. Here's some useful resource to learn more about Cloud security: http://www.dincloud.com/security [dincloud.com] Hope you'll find it informative and useful.

"Go to Heaven for the climate, Hell for the company." -- Mark Twain

Working...