Dropbox Confirms Email Addresses Were Pilfered 89
bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses."
This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.
Nice of the hackers to tell us (Score:5, Interesting)
In so many of these cases, the only reason anyone finds out that a site or service was hacked was that the hackers were nice enough to brag about it in public or leave some kind of obvious trail.
It makes one wonder: how much black hat hacking goes undetected? A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.
Re:Nice of the hackers to tell us (Score:5, Informative)
Re: (Score:3)
Re:Nice of the hackers to tell us (Score:5, Insightful)
A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.
Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/ [forbes.com]
It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.
It's all just so incredibly sloppy.
Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.
Re:Nice of the hackers to tell us (Score:4, Insightful)
Another question would be why does an employee have an list of user email addresses stored in their account? If employees can export customer data like that who cares how many factors of authentication they add.
Re: (Score:1)
Presumably because the had received and handled emails from users. You don't need to "export" the email address, you just need to be the person designated to handle a customer issue. Their email address then goes to your addressbook, and anybody who hacks your account can read your addressbook.
Re: (Score:3)
I have no idea how can anyone trust them with their data.
Who says we do? Truecrypt container FTW.
Re: (Score:2)
If your files are encrypted client side it doesn't matter what they do with your data as long as you can pull it back down.
strong encryption means you don't have to trust anyone*.
(*as long as you are the only one who knows the password)
Re: (Score:2)
*Whoosh*
I can put anything I want into your dropbox account and it will magically appear on every machine you've linked it to.
I can edit anything I want in your dropbox account and THAT will magically appear on every machine you've linked it to.
You are clueless as to what I can do to someone if I have that ability. I think it's safe to add yourself to the pool of people with no idea of what they are doing.
Re: (Score:2)
I have no idea how can anyone trust them with their data.
The vast majority of the population either doesn't care about their data security, or doesn't know enough about Dropbox's shortcomings to be concerned. As for myself, my most recent use of dropbox was to synchronize work on a group project. We had one team at remote locations uploading data, and another two teams retrieving the data and processing it. All our data was practically worthless to anyone else, and not too private to us.
Dropbox operates very much like a real physical dropbox: You can stick stuff
Re: (Score:2)
pilfered (Score:1)
OMG my mail has been ... what? pilfered? ...
Re: (Score:1)
Password Change 500 Error (Score:1)
To top it all the password change section of their website is down (wanted to change my password just in case).
Why are They Lecturing Us About Password Security? (Score:4, Insightful)
Okay so yes it's a good idea to have different passwords for each website, but given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.
And yes, two-factor authentication would be very nice. Please do it using an already-existing system like YubiKey rather than make your own.
Lecturing Us About Password Security? (Score:5, Informative)
The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.
When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.
They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.
Re: (Score:1)
Yeah I get what happened, but then that's an internal issue for Dropbox. Putting it up as part of their explanation for what happened just seems like a diversionary tactic (everyone thinks "ooh I use the same password in different places, maybe it's partly my fault" as opposed to "Dropbox have some really bad security policies in place, I wonder how much more of my information is sitting in Dropbox employees' personal stashes?")
Re: (Score:3)
Diversionary tactic or not, how many Dropbox users would understand, or even care about, the privacy implications of Dropbox's security policies? I'm guessing just the ones in this thread, so, by far, the minority. What the email they sent out (I got one, I've read it, I know what it says) does, that you're ignoring, is educate users who don't know better, including the employee whose account was hacked.
Now, I'm not supporting their securfity practices; certainly, that information should not have been store
Re: (Score:2)
Re:Why are They Lecturing Us About Password Securi (Score:5, Insightful)
The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..
Why in the hell did he have a list of customer email addresses in his account?
Is this a common practice there.. to let employees store copies of customer data all over the place?
I think dropbox has proven repeatedly they really don't care about the security of their customers data.
Re: (Score:3)
Excuse me.. but please don't make up explanations and ask us all to pretend it's ok.
Dropbox says it was a project document with hundreds of customer email addresses.
I don't know about you, but I don't call my email client a "project document"
Re: (Score:2)
Dropbox says it was a project document with hundreds of customer email addresses.
Hate to correct myself.. but dropbox did not say "hundreds".. they just said it was a project document with customer email addresses.. So who knows how many were in the file
Re: (Score:2)
Re: (Score:2)
An employees Drop Box account was hacked that had a file with client email addresses in it.
Well, yeah. Can you imagine the field day Wuala et al would have if word got out that Dropbox created a second, more secure file storage and transfer service for internal use? Not eating one's dogfood is a huge sign of lacking confidence in the product...
Re: (Score:2)
Yes, that's right.. anyone who thinks their personal data should be protected is shilling for a dropbox-competitor. [/sarcasm]
I work for an ecommerce site, where we deal with personally-identifiable information every single day. We protect our customers data, and downloading copies of it to another computer is a FIREABLE OFFENSE.
So tell me, if dropbox really cares, why do they not have a similar policy? which dropbox employee is getting fired for this?
Dropbox copies their customers data all over the place.
Re: (Score:2)
No, it could not be "email client syncing". The dropbox announcement specifically says it was a project document. So they DID copy the info for a specific project.
Re: (Score:2)
The lecture is "whoops, we just learned that we got hacked this way, just like everyone else said would happen about 10 years ago, so we're passing the lesson onwards to you."
The real takeaway is "we are about 10 years behind everyone else in security." Which is a shame, because I really like Dropbox.
But it's like using any service provider - you're putting your eggs in someone else's basket. So when they trip and drop them, don't act all surprised and outraged, because you are the one who chose to use th
Re: (Score:2)
Re: (Score:2)
It's enforceable, just not technically. (If it were technically possible, they could automate it.) Have a corporate policy that says "Thou shalt not use thy corporate password outside of the corporation's computer systems, or thou shalt be fired." Then when a publicly visible violation occurs, you invoke the penalty clause in a public fashion, so that everyone can see you take the policy very seriously.
Ask the Apple guy who lost the prototype iPhone 4 about the experience. Then ask a current Apple emplo
Re: (Score:2)
Have a corporate policy that says "Thou shalt not use thy corporate password outside of the corporation's computer systems, or thou shalt be fired." Then when a publicly visible violation occurs, you invoke the penalty clause in a public fashion, so that everyone can see you take the policy very seriously.
Mhm... One flaw...
It's heartless and ugly and cruel...
...and it requires one user to violate it before it becomes an effective deterrent. Even then, it only serves as a warning to those presently employed; n00bs won't have gotten the message.
Re: (Score:2)
I'm a huge fan of Google's. I have it installed on my phone, tablet and iPod touch. If I lose one I can revoke that authentication. I have been out at a friend's house and couldn't login once but the security benefits outweigh any issues I've ever had with it. Anytime I login from a non-standard computer I type in a generated number.
stackoverflow too... (Score:1)
i signed up with them and immediately got a bunch of bogus "job offer" spam, luckily google filtered it all out but it's not cool man. stackoverflow claims to be a geeky site, how do they let that happen?
Re: (Score:3)
How do you know it was dropbox that let your address out?
I use spamgourmet [spamgourmet.com] to create unique email addresses for every site that wants my email address. I've used this for nearly 10 years and have created 616 different email addresses. The one I used for dropbox has never received spam, but I have gotten spam on the addresses I created for a samsclub rebate, and for the email address I used to make an account with Sony Online Entertainment, and on a few various other websites. These types of database crack
Re: (Score:2)
They will probably use something like Google Authenticator: http://en.wikipedia.org/wiki/Google_Authenticator [wikipedia.org]
Re: (Score:3)
How to get service with no cell phone? (Score:2)
The normal way to implement this (a la Google) is to get your mobile phone number
Which would require each customer to maintain mobile phone service. I've read comments to other articles claiming that mobile phone service is still a luxury, not a necessity.
Re: (Score:2)
The normal way to implement this (a la Google) is to get your mobile phone number
Which would require each customer to maintain mobile phone service. I've read comments to other articles claiming that mobile phone service is still a luxury, not a necessity.
Free google voice account, configured to forward incoming texts to email. Not a theoretical approach, I actually do this. I don't use texts much (well, really, at all). Go to the Mighty GOOG voice, click on the typical GOOG weird torx-like "settings" button, select "settings", select "voicemail and texts", select checkbox third from the bottom labeled "Text Forwarding: Forward text messages to my email"
Each text I get used to cost me 25 cents (including reams of spam), so I obviously disabled texts on my
Re: (Score:2)
Re: (Score:2)
Besides, you can always claim a cell is a landline & have 2 GV accts. Now you have 3 numbers & 1 phone, if a family can't do a 3:1 r
"...you can use a friend's number" (Score:2)
a la Google
Which would require each customer to maintain mobile phone service.
2-factor authentication is optional at most places that use it.
I was referring specifically to Google. In some countries, one can't create a Gmail account without a phone number. See for example this help page [google.com]: "If you don't have a phone, you can use a friend's number"
Stop being stupid.
Y u no assume good faith?
Re: (Score:1)
If you have an Android, iPhone or Blackberry device, you can also use the Google Authenticator app. Granted, if you have one of these devices you probably also have a mobile service, but at least with the app you are not reliant on the mobile network delivering your SMSs in a timely manner. Then again, you could probably run it in your homebrew portable raspberry pi running android connected with bluetooth to your pebble watch. No mobile service required, only a little hacking. :-)
See http://support.google. [google.com]
No Google Play on Raspberry Pi (Score:2)
Then again, you could probably run it in your homebrew portable raspberry pi running android
I don't see how. From Installing Google Authenticator [google.com]: "1. Visit Google Play." Downloads from Google Play require the Play Store app to be installed on the device, and this app comes only on certified devices. A Raspberry Pi running AOSP Android is not a certified device because as I said yesterday [slashdot.org], I'm not aware of a profile in the Android CDD for desktop or set-top devices.
Are you doing enough though? (Score:1)
Ok, great, you move to 2 factor authentication and the mean bad guys can't login as an employee anymore. But what if the employee accidentally copies that or something equally sensitive to a public folder? Or what if they get fished into browsing to a malicious url with an exploit that is able to get at that file somehow?
Also, what the HELL was any employee doing with a copy of any type of data for your user base in a dropbox in the first place? That stuff should be locked away tightly in a database in a wa
Re: (Score:2)
Companies do try in earnest. I'd be willing to admit that bigger companies probably try a lot harder. Firms like Ebay are constantly training (and retraining) their employees on social engineering, document security, the risks of transferable media (e.g. USB drives), etc.
However, it is practically impossible for a company to put bulletproof safeguards around things like:
+ Laziness (opting for convenience vs. security)
+ Ignorance
+ Malice (intentional compromise of information)
+ Plain old human error
So the
Re: (Score:2)
...When they take the final step and modify their Acceptable Use Policy to include termination for those who violate the policy, and then actively enforce it.
We deal with highly confidential and sensitive information all the time, including personally identifiable information. Everyone understands the consequences of trying to circumvent the controls that have been put in place on the systems. In this economy, the few of us who are fortunate enough to have a job are not going to throw them away.
The only +
Ummm... (Score:4, Insightful)
And why, pray tell, did this dropbox employee have a list of user email accounts stored in his dropbox?
Unless they run things rather differently than everybody else in the universe, user emails aren't exactly zOMG Super Secret; but they tend to reside somewhere in the bowels of the system for mailing-list and password reset purposes handled largely by automated tools, not in list form in human file storage areas. Outside of the relatively small number that might collect during the course of handling support requests or the like, why would an employee have any use for a substantial list of addresses, stored insecurely?
Re: (Score:1)
Not to defend Dropbox, but over my time as a maintenance programmer at agencies, I've routinely had to export email addresses from user account lists so they could be imported into third party mailing systems for newsletter runs etc - sometimes even large companies don't do all of this inhouse, especially if they are involving a dedicated advertising agency thats doing complicated AB testing or targeted advertising.
Infact, right this second I have email addresses (infact, significant demographic and persona
Re: (Score:2)
I haven't read the reports / blogs / etc... yet, but I can come up with plenty of reasons to have a list of email addresses on my system. It might be I work for marketing and need to send out some kind of mailing. I bet there are many tools out there that will take simple text-files as input for the emails. Another reason might be that they were using the list to transfer data to some test-environment and rather extracted it once into a text-file and then many times into the dev-environments rather than doi
Re: (Score:2)
email accounts, often act as a proxy for a member identifier / account identifier. They aren't perfectly unique in either direction. Sometimes multiple people share an
email but then they are sharing an account; sometimes the same person has multiple emails but then effectively that person is acting like multiple people.
For most companies the majority of their middleware are desktop productivity applications like Access combined with a semi skilled office worker. A file gets pulled from one server, manipu
Why not just sack the luddite? (Score:2)
"This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication."
Two-factor authentication? WTF?! Why not just sack the luddite and his nearest boss?
Re: (Score:1)
Why not just sack the luddite and his nearest boss?
If you don't sack at least a VP you don't even get management's attention on the prevention of similar nonsense. Where were the business processes to keep the luddite away from customer data?
You'd think at least the Dropbox people ... (Score:3)
You let somebody in and they can always get in - changing the password doesn't change the key and only gives the illusion that you are locking people out.
Re: (Score:2)
No - you let someone in and they can get in until you unlink their device.
Which is trivial to do from the web interface.
Any and all online accounts are vulnerable... (Score:1)
Re: (Score:2)
That is just it, cloud services are inherently insecure. the trade off comes with convenience, no hardware to fiddle with no set up just write a check every month.
Waay to vague (Score:1)
spamgourmet is your friend (Score:2)
For those that don't know, there is a simple and fantastic service called SpamGourmet. You can create disposable addresses on the fly, control how many emails they accept, etc.
http://spamgourmet.com/ [spamgourmet.com]
Kudos to Dropbox ... (Score:2)
Re: (Score:2)
Well, if was dropbox@yourdomain.com, I could see that argument. I started using sitename.YYYYMMDD@mydomain.com to prove beyond the shadow of a doubt. As I my own mail servers, either the recipient, one of our ISPs, or one inbetween would have had to skimmed the email address. I've had a dozen or so sites leak these addresses. If I don't need them, I just block the aliases on my server. If I need them (domain registrar, etc.), I just bump the date, make sure I get the change confirmation email, and then
Re: (Score:2)
Well, if was dropbox@yourdomain.com, I could see that argument
yeah, not quite that generic, and only that one site's address got spam, and it was a vendor I had a business relationship with.
sitename.YYYYMMDD@mydomain.com
Good thought. Now that I'm using LastPass this becomes feasible for me too. Thanks - I'll start doing that.
Lousy password security (Score:2)
For years, service providers have been beating up their customers to get them to use secure passwords, but time after time, it turns out that the service providers are the worst security offenders.
What is it going to take to get the services to take security seriously?
It's not that hard: Build a dedicated authentication server. Account names and passwords (preferably hashed) are stored there, and NOT in any other database on any other server owned by the service. The authentication server acts as a near bla
Security is Important (Score:1)