Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Confirms Email Addresses Were Pilfered

Posted by Unknown on from the three-factor-auth-coming-to-a-store-near-you dept.

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

89 comments

  1. Nice of the hackers to tell us by MrEricSir · · Score: 4, Interesting

    In so many of these cases, the only reason anyone finds out that a site or service was hacked was that the hackers were nice enough to brag about it in public or leave some kind of obvious trail.

    It makes one wonder: how much black hat hacking goes undetected? A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

    --
    There's no -1 for "I don't get it."
    1. Re:Nice of the hackers to tell us by evilRhino · · Score: 5, Informative

      Actually, the hackers didn't tell anyone. If people hadn't set up specific email addresses for their dropbox account, checked these boxes for mail, and reported spam, this might have never been discovered.

    2. Re:Nice of the hackers to tell us by rgbrenner · · Score: 5, Insightful

      A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

      Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/

      It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.

      It's all just so incredibly sloppy.

      Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.

    3. Re:Nice of the hackers to tell us by JoshuaZ · · Score: 1

      The point about small companies is valid, but there's probably not that much malicious hacking directed at small companies. If the companies are that small, there's not that much payoff to the hackers.

    4. Re:Nice of the hackers to tell us by Rob+Riggs · · Score: 2

      I had the same problem with United Airlines about a decade ago. Just about every company I deal with gets their own email address. I started getting spam to the account I used for United. They were actually pretty good about responding when the abuse was brought to their attention. IIRC they traced it back to an email service vendor.

      --
      the growth in cynicism and rebellion has not been without cause
    5. Re:Nice of the hackers to tell us by Glendale2x · · Score: 3, Insightful

      Another question would be why does an employee have an list of user email addresses stored in their account? If employees can export customer data like that who cares how many factors of authentication they add.

      --
      this is my sig
    6. Re:Nice of the hackers to tell us by AmiMoJo · · Score: 2

      I have no idea how can anyone trust them with their data.

      Who says we do? Truecrypt container FTW.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Nice of the hackers to tell us by lister+king+of+smeg · · Score: 1

      If your files are encrypted client side it doesn't matter what they do with your data as long as you can pull it back down.
      strong encryption means you don't have to trust anyone*.
      (*as long as you are the only one who knows the password)

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    8. Re:Nice of the hackers to tell us by AlecC · · Score: 1

      Presumably because the had received and handled emails from users. You don't need to "export" the email address, you just need to be the person designated to handle a customer issue. Their email address then goes to your addressbook, and anybody who hacks your account can read your addressbook.

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    9. Re:Nice of the hackers to tell us by Anonymous Coward · · Score: 0

      Nobody cares about the stuff most people put on dropbox. Dropbox's main goal is to not lose stuff. If you want something safe from prying eyes, encrypt it. Any services can be ordered by law to open up your contents. You act as if people have a lot of stuff to keep secret. A failure for dropbox would be losing data. By your reasoning, how is the government still in business? They obviously dont know what they are doing, they lose social security numbers, tax records.

    10. Re:Nice of the hackers to tell us by Anonymous Coward · · Score: 0

      Wow... with that kind of attitude I assume you work for Dropbox?

    11. Re:Nice of the hackers to tell us by Anonymous Coward · · Score: 0

      Because high-schoolers and 4channers don't give a rats ass about the data security of their essays, pictures and porn. And they can use it as free file hosting.

    12. Re:Nice of the hackers to tell us by Anonymous Coward · · Score: 0

      I dont know, shit happens sometimes. I think this is a little dramatic over some email addresses. They didnt even get passwords, just email addresses. My email address is all over the internet as it is.

    13. Re:Nice of the hackers to tell us by Sarten-X · · Score: 1

      I have no idea how can anyone trust them with their data.

      The vast majority of the population either doesn't care about their data security, or doesn't know enough about Dropbox's shortcomings to be concerned. As for myself, my most recent use of dropbox was to synchronize work on a group project. We had one team at remote locations uploading data, and another two teams retrieving the data and processing it. All our data was practically worthless to anyone else, and not too private to us.

      Dropbox operates very much like a real physical dropbox: You can stick stuff in it, and retrieve it later. Somebody else might break into it, so don't use it for vitally confidential stuff.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    14. Re:Nice of the hackers to tell us by Anonymous Coward · · Score: 0

      I thought this was pretty common, I'm pretty sure I have had at least three Cisco accounts from various jobs compromised... Keep getting spam offering second hand Cisco kit, and even phone calls from third parties offering Cisco related services.

    15. Re:Nice of the hackers to tell us by SmurfButcher+Bob · · Score: 1

      *Whoosh*

      I can put anything I want into your dropbox account and it will magically appear on every machine you've linked it to.
      I can edit anything I want in your dropbox account and THAT will magically appear on every machine you've linked it to.

      You are clueless as to what I can do to someone if I have that ability. I think it's safe to add yourself to the pool of people with no idea of what they are doing.

      --

      help me i've cloned myself and can't remember which one I am

  2. pilfered by Anonymous Coward · · Score: 1

    OMG my mail has been ... what? pilfered? ...

    1. Re:pilfered by Transdimentia · · Score: 1

      I, and tens of thousands of others, learned what pilfered was back in 7th grade playing mystery at marple manor on the c64. You are down a point on geek cred now, thanks, drive through.

  3. Password Change 500 Error by mutherhacker · · Score: 1

    To top it all the password change section of their website is down (wanted to change my password just in case).

    1. Re:Password Change 500 Error by Anonymous Coward · · Score: 0

      While you're waiting to re-key the barn door, let's talk about an employee's account was hacked.

      Dropbox /says/ that customer accounts were hacked too, but that's 'unrelated'. Dropbox is doing damage control, so best be highly skeptical of any good news from them, and accept only the bad news as facts.

      They've been hacked. Right now you shouldn't trust that their password system is secure. Changing your password may just hand over your new password; while your old one may not be cracked yet.

      What you should be thinking of while waiting, is how you can have your information on their system in a way that's secure for you. Instead of changing your password, you should be replacing your data with an encrypted version. And you better be considering that the data you've stored there may already have been copied. If you haven't already got one, you need a plan for operating under that new problem.*

      *[Which'd be a great 'Ask Slashdot' of it's own.}

  4. Why are They Lecturing Us About Password Security? by McDee · · Score: 4, Insightful

    Okay so yes it's a good idea to have different passwords for each website, but given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    And yes, two-factor authentication would be very nice. Please do it using an already-existing system like YubiKey rather than make your own.

  5. Clarification by Anonymous Coward · · Score: 0

    According to the Dropbox's own report, there was no breach at Dropbox, but user accounts were grabbed from some other websites and the passwords matched.

    1. Re:Clarification by Anonymous Coward · · Score: 0

      They clarified how it was possible that an outside attacker got access to an employee dropbox, but they did not clarify how it is possible that this employee dropbox contained a list of customer e-mail addresses.
      They even call it "a project document".
      What kind of project is that?
      "project unwanted information disclosure"?

  6. stackoverflow too... by Anonymous Coward · · Score: 1

    i signed up with them and immediately got a bunch of bogus "job offer" spam, luckily google filtered it all out but it's not cool man. stackoverflow claims to be a geeky site, how do they let that happen?

    1. Re:stackoverflow too... by uigrad_2000 · · Score: 2

      How do you know it was dropbox that let your address out?

      I use spamgourmet to create unique email addresses for every site that wants my email address. I've used this for nearly 10 years and have created 616 different email addresses. The one I used for dropbox has never received spam, but I have gotten spam on the addresses I created for a samsclub rebate, and for the email address I used to make an account with Sony Online Entertainment, and on a few various other websites. These types of database cracks are common, and it really shouldn't be a news story.

      I do not wish to advertise for the site mentioned above. As it stands now, google and yahoo mail both give the opportunity to make disposal email addresses now, so the service I use is no longer unique. But, I do recommend that everyone does use a service of this type, so that you can shut down only the addresses that you get spam with.

      --
      Free unix account: freeshell.org
  7. What does this mean? by Anonymous Coward · · Score: 0

    According to http://en.wikipedia.org/wiki/Two-factor_authentication this means they will require a second 'factor'. Maybe a credit card or a fingerprint. So basically what we will get is they will be storing more (and even more sensitive) info in order to authenticate you? And when they loose that? Then not only will they have my data, but also my biometric characteristics and my credit card number? I fail to see where this will protect me more...

    1. Re:What does this mean? by chrisgeleven · · Score: 1

      They will probably use something like Google Authenticator: http://en.wikipedia.org/wiki/Google_Authenticator

    2. Re:What does this mean? by RobinH · · Score: 2

      The normal way to implement this (a la Google) is to get your mobile phone number and when you want to login, they text you a secret phrase. You have to type this into the site, along with your normal password, to gain access. Note that you only have to do this every X weeks from each different computer you're logging in from, so you don't have to do it all the time. What it means is that you need to know the password *and* be able to receive texts sent to that phone number in order to login. If someone steals your phone, they shouldn't know the password, and if someone gets your password, they probably don't have your phone. Or at least it's less likely.

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    3. Re:What does this mean? by Anonymous Coward · · Score: 0

      My company uses a token app, it generates a time sensitive code that you have to use alongside your normal username/password. It's basically a 30 second password, that can only be generated from my phone or w/e device I setup to generate it.

  8. Are you doing enough though? by Anonymous Coward · · Score: 1

    Ok, great, you move to 2 factor authentication and the mean bad guys can't login as an employee anymore. But what if the employee accidentally copies that or something equally sensitive to a public folder? Or what if they get fished into browsing to a malicious url with an exploit that is able to get at that file somehow?

    Also, what the HELL was any employee doing with a copy of any type of data for your user base in a dropbox in the first place? That stuff should be locked away tightly in a database in a way that is fully audited, and should be impossible to access with a damn good reason as to why he needs access to it. And even then, the access should be revoked immediately after needing it, and verified that no residual traces of it are left, and....

    Oh wait, I forgot, you are just a lazy ass company that only wants to do "just enough" to keep customers and make more money by spending less on an actual security setup that works.

    Of course, that is just my opinion, I may be wrong.

    Cheers ;)

    1. Re:Are you doing enough though? by Anonymous Coward · · Score: 0

      That's my concern too, so you made it harder for them to login, but the underlying behavior still remains.
      Sensitive information needs to be kept on the company intranet and access restricted to only those who need it and only for when they do.

      *And I think you're right about them being lazy, considering Day 1 Features that are still missing, despite great demand for years.

    2. Re:Are you doing enough though? by kaushik · · Score: 2

      Companies do try in earnest. I'd be willing to admit that bigger companies probably try a lot harder. Firms like Ebay are constantly training (and retraining) their employees on social engineering, document security, the risks of transferable media (e.g. USB drives), etc.

      However, it is practically impossible for a company to put bulletproof safeguards around things like:

      + Laziness (opting for convenience vs. security)
      + Ignorance
      + Malice (intentional compromise of information)
      + Plain old human error

      So the question really becomes, when has a company done enough...?

    3. Re:Are you doing enough though? by dave562 · · Score: 1

      ...When they take the final step and modify their Acceptable Use Policy to include termination for those who violate the policy, and then actively enforce it.

      We deal with highly confidential and sensitive information all the time, including personally identifiable information. Everyone understands the consequences of trying to circumvent the controls that have been put in place on the systems. In this economy, the few of us who are fortunate enough to have a job are not going to throw them away.

      The only + that you made that is some what relevant is malice. In those cases all you can do is implement logging and review the logs for exceptions. At some point, you have to trust someone to access the data. In those situations, the access needs to be audited. It might not prevent the breach altogether, but it makes it easier to limit the damage.

    4. Re:Are you doing enough though? by Anonymous Coward · · Score: 0

      Ya, I am thinking it's a bit of the "lazy" more than anything too. Not so much of anything intentional, but that it is a big hassle to do things like this properly from a locked down machine with access to the database.

      Now, for a mom and pop shop at the corner of the street, I can see something like this happening often, but for a company like dropbox that has personal information for hundreds of thousands, if not millions, of users and terabytes of their data, things get more serious. The "it was just easier for me to mysqldump the user database to my workstation" excuse just doesn't cut it anymore.

  9. Ummm... by fuzzyfuzzyfungus · · Score: 3, Insightful

    And why, pray tell, did this dropbox employee have a list of user email accounts stored in his dropbox?

    Unless they run things rather differently than everybody else in the universe, user emails aren't exactly zOMG Super Secret; but they tend to reside somewhere in the bowels of the system for mailing-list and password reset purposes handled largely by automated tools, not in list form in human file storage areas. Outside of the relatively small number that might collect during the course of handling support requests or the like, why would an employee have any use for a substantial list of addresses, stored insecurely?

    1. Re:Ummm... by Anonymous Coward · · Score: 1

      Not to defend Dropbox, but over my time as a maintenance programmer at agencies, I've routinely had to export email addresses from user account lists so they could be imported into third party mailing systems for newsletter runs etc - sometimes even large companies don't do all of this inhouse, especially if they are involving a dedicated advertising agency thats doing complicated AB testing or targeted advertising.

      Infact, right this second I have email addresses (infact, significant demographic and personal information directly identifiable to the persons) for roughly 10 million UK social housing people, right here on my personal dev server at home.

    2. Re:Ummm... by deroby · · Score: 1

      I haven't read the reports / blogs / etc... yet, but I can come up with plenty of reasons to have a list of email addresses on my system. It might be I work for marketing and need to send out some kind of mailing. I bet there are many tools out there that will take simple text-files as input for the emails. Another reason might be that they were using the list to transfer data to some test-environment and rather extracted it once into a text-file and then many times into the dev-environments rather than doing some ETL from the live system over and over.... etc.. etc..
      Assuming I had virtual dropbox space (and a LAN connection to the server), I too would have EVERYTHING I work on in my dropbox enabled folders.

      --
      If there is one thing to be learned on slashdot, it has to be sarcasm.
    3. Re:Ummm... by Anonymous Coward · · Score: 0

      Are you just trolling? Because if not, I wish I knew who your employer was so I could advocate for having you fired for gross negligence.

      I can accept the need to occasionally export data, but sane people delete the data as soon as they are done with it, and never move it to a personal server. Right now you are setting yourself to be headline news if somebody hacks your system.

    4. Re:Ummm... by Anonymous Coward · · Score: 0

      Not to defend Dropbox, but over my time as a maintenance programmer at agencies, I've routinely had to export email addresses from user account lists so they could be imported into third party mailing systems for newsletter runs etc - sometimes even large companies don't do all of this inhouse, especially if they are involving a dedicated advertising agency thats doing complicated AB testing or targeted advertising.

      That's illegal under European data protection law, if performed without specific (including the advertising agency's customers!) and informed consent (in addition to all the other requirements)

      Infact, right this second I have email addresses (infact, significant demographic and personal information directly identifiable to the persons) for roughly 10 million UK social housing people, right here on my personal dev server at home.

      And that's even more illegal, unless you have explicit, informed consent and sufficient security.

      See 95/46/EC:

      1. Member States shall provide that personal data must be:

      (a) processed fairly and lawfully;

      (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

      (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

      (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

      (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

    5. Re:Ummm... by jbolden · · Score: 1

      email accounts, often act as a proxy for a member identifier / account identifier. They aren't perfectly unique in either direction. Sometimes multiple people share an
      email but then they are sharing an account; sometimes the same person has multiple emails but then effectively that person is acting like multiple people.

      For most companies the majority of their middleware are desktop productivity applications like Access combined with a semi skilled office worker. A file gets pulled from one server, manipulated by hand, and then sent to another server.

  10. Why not just sack the luddite? by G3ckoG33k · · Score: 1

    "This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication."

    Two-factor authentication? WTF?! Why not just sack the luddite and his nearest boss?

    1. Re:Why not just sack the luddite? by LeadSongDog · · Score: 1

      Why not just sack the luddite and his nearest boss?

      If you don't sack at least a VP you don't even get management's attention on the prevention of similar nonsense. Where were the business processes to keep the luddite away from customer data?

      --
      Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
  11. Lecturing Us About Password Security? by Captain+Hook · · Score: 5, Informative

    given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.

    When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.

    They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
    1. Re:Lecturing Us About Password Security? by McDee · · Score: 1

      Yeah I get what happened, but then that's an internal issue for Dropbox. Putting it up as part of their explanation for what happened just seems like a diversionary tactic (everyone thinks "ooh I use the same password in different places, maybe it's partly my fault" as opposed to "Dropbox have some really bad security policies in place, I wonder how much more of my information is sitting in Dropbox employees' personal stashes?")

    2. Re:Lecturing Us About Password Security? by BronsCon · · Score: 2

      Diversionary tactic or not, how many Dropbox users would understand, or even care about, the privacy implications of Dropbox's security policies? I'm guessing just the ones in this thread, so, by far, the minority. What the email they sent out (I got one, I've read it, I know what it says) does, that you're ignoring, is educate users who don't know better, including the employee whose account was hacked.

      Now, I'm not supporting their securfity practices; certainly, that information should not have been stored in an employee's dropbox, but that's not the point here. Ask yourself, and answer realistically, if Dropbox had sent out an email explaining that one of their employees had a list of email addresses in their dropbox, how many people would have just been like "Oh? See? I knew I was on to something when I started doing that!".

      I don't think Dropbox is trying to get users to blame themselves, I think they're speaking to their largely non-technical audience, in plain terms, and relaying a lesson they just learned, without including details that may confuse those same users. As evidence of this, I present the link from that email, which takes you to their blog, on which the most recent post explains exactly what happened, including all the juicy details you insinuate they're trying to hide.

      To summarize what Dropbox has done here: They sent an email, to their largely non-technical userbase, with some very worthwhile security advice that is (sadly) not common knowledge. In that email, they provide a password change link, a link to a tool to make it easier to keep track of multiple passwords, and a link to the explanation of why they are doing this and a real-life example of exactly why the user should follow the advice. That's pretty powerful stuff; one has to wonder, if every company were as proactive in cleaning up their security messes as Dropbox is being in this instance, would the number of idiot users be reduced?

      Now, I understand the point of view you're probably coming from. If Dropbox, and other companies, were more proactive in preventing these types of security issues altogether, idiot userd would be less of a problem. Here's where that point of view fails: The security issue here was an idiot user, not a Dropbox policy or a flaw in their system. There wasn't anything Dropbox could have done to prevent this, except to educate their users (and employees), it was entirely under the control of an idiot who didn't know better. User education is the correct response. Yes, they could have educated their users before this incident, but without a clear example to answer the "why are you shoving this in my face?" question, those who didn't simply ignore the advice would get pissed off or offended, then ignore the advice. And who's to say their policy hasn't been, from day one, "don't use the same password here that you use elsewhere"? How would they enforce it? They can't.

      Sadly, if it means more work for the user, the user will ignore it. Even with this incident, and a clear explanation of what can happen, you know as well as I do that 90% of users are going to change their Dropbox password, then promptly change all their other passwords to match it. At least we won 10% of users, today.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:Lecturing Us About Password Security? by Anonymous Coward · · Score: 0

      You mean "Sincerely, China", right? Because AFAIK China won 50% more gold medals than the US of A.

  12. Re:Why are They Lecturing Us About Password Securi by Anonymous Coward · · Score: 0

    Yea, it strikes me as rather worrisome that this employee kept such a list in their Dropbox. That sort of stuff should remain on the company intranet.

  13. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 5, Insightful

    The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..

    Why in the hell did he have a list of customer email addresses in his account?

    Is this a common practice there.. to let employees store copies of customer data all over the place?

    I think dropbox has proven repeatedly they really don't care about the security of their customers data.

  14. Re:Why are They Lecturing Us About Password Securi by plover · · Score: 1

    The lecture is "whoops, we just learned that we got hacked this way, just like everyone else said would happen about 10 years ago, so we're passing the lesson onwards to you."

    The real takeaway is "we are about 10 years behind everyone else in security." Which is a shame, because I really like Dropbox.

    But it's like using any service provider - you're putting your eggs in someone else's basket. So when they trip and drop them, don't act all surprised and outraged, because you are the one who chose to use them.

    --
    John
  15. How to get service with no cell phone? by tepples · · Score: 1

    The normal way to implement this (a la Google) is to get your mobile phone number

    Which would require each customer to maintain mobile phone service. I've read comments to other articles claiming that mobile phone service is still a luxury, not a necessity.

    1. Re:How to get service with no cell phone? by vlm · · Score: 1

      The normal way to implement this (a la Google) is to get your mobile phone number

      Which would require each customer to maintain mobile phone service. I've read comments to other articles claiming that mobile phone service is still a luxury, not a necessity.

      Free google voice account, configured to forward incoming texts to email. Not a theoretical approach, I actually do this. I don't use texts much (well, really, at all). Go to the Mighty GOOG voice, click on the typical GOOG weird torx-like "settings" button, select "settings", select "voicemail and texts", select checkbox third from the bottom labeled "Text Forwarding: Forward text messages to my email"

      Each text I get used to cost me 25 cents (including reams of spam), so I obviously disabled texts on my phone completely.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:How to get service with no cell phone? by bytestorm · · Score: 1

      You still need a phone line to tie to gvoice. A land line number can have a maximum of 2 gvoice accounts attached to it, a mobile one only 1. Unless there's a way to get free POTS-resolvable phone numbers I don't know about, the problem stands for families with a single land line.

    3. Re:How to get service with no cell phone? by JazzLad · · Score: 1

      Your (theoretical) family requires multiple Dropbox accounts but only has 1 phone? For me, a draw of Dropbox is I can use the same Dropbox account on multiple PCs, keeping them synced. This way if the laptop you were using for school has a dead battery/etc when walking out the door to class, you simply grab another & it has your latest stuff on it (for example).

      Besides, you can always claim a cell is a landline & have 2 GV accts. Now you have 3 numbers & 1 phone, if a family can't do a 3:1 ratio on phones:Dropbox accounts, they are doing something wrong.

      --
      "If you have nothing to hide, you have nothing to fear." - Every fascist, ever
    4. Re:How to get service with no cell phone? by Anonymous Coward · · Score: 0

      2-factor authentication is optional at most places that use it. Stop being stupid.

    5. Re:How to get service with no cell phone? by camh · · Score: 1

      If you have an Android, iPhone or Blackberry device, you can also use the Google Authenticator app. Granted, if you have one of these devices you probably also have a mobile service, but at least with the app you are not reliant on the mobile network delivering your SMSs in a timely manner. Then again, you could probably run it in your homebrew portable raspberry pi running android connected with bluetooth to your pebble watch. No mobile service required, only a little hacking. :-)
      See http://support.google.com/a/bin/answer.py?hl=en&answer=1037451

  16. You'd think at least the Dropbox people ... by dbIII · · Score: 2

    You'd think at least the dropbox people would be aware of how insecure dropbox is.
    You let somebody in and they can always get in - changing the password doesn't change the key and only gives the illusion that you are locking people out.

    1. Re:You'd think at least the Dropbox people ... by Richard_at_work · · Score: 1

      No - you let someone in and they can get in until you unlink their device.

      Which is trivial to do from the web interface.

  17. Any and all online accounts are vulnerable... by MCAROLLO · · Score: 1

    Dropbox should definitely take security seriously being a cloud based storage solution and all, but lets face it - any online account is vulnerable to this same type of attack. I use Dropbox and I love it. This little breach will not scare me away. How many people have bad run in's with their bank accounts being hacked and money siphoned out to who knows where? That is something to worry about!

    1. Re:Any and all online accounts are vulnerable... by lister+king+of+smeg · · Score: 1

      That is just it, cloud services are inherently insecure. the trade off comes with convenience, no hardware to fiddle with no set up just write a check every month.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  18. Dropbox cannot & should not be trusted, period by Anonymous Coward · · Score: 0

    Any company which displays such incompetence is an accident waiting to happen.

    Some of us prefer to avoid such things from the outset.

  19. Re:Why are They Lecturing Us About Password Securi by AlecC · · Score: 0

    It is a common practice in most email clients. They store the addresses of everybody with you have exchanged emails. My GMail account certainly remembers everybody I have sent an email to. "A few hundred" would be consistent with a member of the customer service team handling customer issues by email. I suggest this would be almost universal practice - does your email client not keep an addressbook? I know of no email client which does not keep addresses until I explicitly delete them.

    --
    Consciousness is an illusion caused by an excess of self consciousness.
  20. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 2

    Excuse me.. but please don't make up explanations and ask us all to pretend it's ok.

    Dropbox says it was a project document with hundreds of customer email addresses.

    I don't know about you, but I don't call my email client a "project document"

  21. Re:Why are They Lecturing Us About Password Securi by Wamoc · · Score: 2

    It wasn't the employees email that was hacked. An employees Drop Box account was hacked that had a file with client email addresses in it. They seriously need to create and enforce some rules on storing customer data.

  22. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 1

    Dropbox says it was a project document with hundreds of customer email addresses.

    Hate to correct myself.. but dropbox did not say "hundreds".. they just said it was a project document with customer email addresses.. So who knows how many were in the file

  23. Waay to vague by Vico311 · · Score: 1

    "To prevent future incidents, Dropbox is moving toward two-factor authentication." How does "moving" toward two-factor mean anything. Heck, I can say I'm moving toward 4 factor authentication (I am, I know, I have, I drank?) to prevent future incidents, but that doesn't mean anything. It's like saying the Queen of England can die as early as today. I hate this kind of news, and if Dropbox wants to repair their reputation for those of us in the security community they need to do a better job of reducing their risks and constantly tell us how they are improving their operations. Hopefully they can turn this negative into a positive for them and their users. They are a huge target right now in the "Black-Hat" community.

  24. Re:Why are They Lecturing Us About Password Securi by Anonymous Coward · · Score: 0

    Just forget for a moment that the employee used the same password on multiple sites..

    *deep sigh* All right, all right, let's cut to the chase: What password generator/locker service are you going to inevitably be shilling for if this conversation continues much longer?

    And yes, we already figured out you've got thousands of throwaway one-use email accounts, and keeping track of those is apparently far superior to just installing a damn spam filter already, so don't bother mentioning it.

  25. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 1

    Yes, that's right.. anyone who thinks their personal data should be protected is shilling for a dropbox-competitor. [/sarcasm]

    I work for an ecommerce site, where we deal with personally-identifiable information every single day. We protect our customers data, and downloading copies of it to another computer is a FIREABLE OFFENSE.

    So tell me, if dropbox really cares, why do they not have a similar policy? which dropbox employee is getting fired for this?

    Dropbox copies their customers data all over the place. They roll out changes to their authentication system without testing, letting anyone access anyone elses account. Face it.. dropbox doesn't give a shit about their customers data.

  26. Re:Why are They Lecturing Us About Password Securi by BronsCon · · Score: 1

    It's Dropbox; what do you think their intranet is?

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  27. Re:Why are They Lecturing Us About Password Securi by Anonymous Coward · · Score: 0

    Yes, that's right.. anyone who thinks their personal data should be protected is shilling for a dropbox-competitor. [/sarcasm]

    I work for an ecommerce site, where we deal with personally-identifiable information every single day. We protect our customers data, and downloading copies of it to another computer is a FIREABLE OFFENSE.

    So tell me, if dropbox really cares, why do they not have a similar policy? which dropbox employee is getting fired for this?

    Dropbox copies their customers data all over the place. They roll out changes to their authentication system without testing, letting anyone access anyone elses account. Face it.. dropbox doesn't give a shit about their customers data.

    It could be e-mail client syncing of last years' intern, for all we know. There's no information about how many email addresses were lost, who lost them, whether those emails were collected with permission for a specific project and so on.

  28. Re:Why are They Lecturing Us About Password Securi by BronsCon · · Score: 1

    Who said they don't already have a policy against using the same password in multiple places? The problem is that, whether they have such a policy or not, it's unenforceable.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  29. Re:Why are They Lecturing Us About Password Securi by Cid+Highwind · · Score: 1

    An employees Drop Box account was hacked that had a file with client email addresses in it.

    Well, yeah. Can you imagine the field day Wuala et al would have if word got out that Dropbox created a second, more secure file storage and transfer service for internal use? Not eating one's dogfood is a huge sign of lacking confidence in the product...

    --
    0 1 - just my two bits
  30. Re:Why are They Lecturing Us About Password Securi by plover · · Score: 1

    It's enforceable, just not technically. (If it were technically possible, they could automate it.) Have a corporate policy that says "Thou shalt not use thy corporate password outside of the corporation's computer systems, or thou shalt be fired." Then when a publicly visible violation occurs, you invoke the penalty clause in a public fashion, so that everyone can see you take the policy very seriously.

    Ask the Apple guy who lost the prototype iPhone 4 about the experience. Then ask a current Apple employee if he'd consider violating corporate secrecy policies. It's pretty obvious that the policies can be effective, if not perfectly enforceable.

    It's heartless and ugly and cruel, but putting your employer's good name at risk is a Big Deal. Dropbox might lose paying clients over this. That means less profit, which can lead to budget cuts, headcount reductions, or worse. All those dirty realities of operating a business come into play.

    --
    John
  31. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 1

    No, it could not be "email client syncing". The dropbox announcement specifically says it was a project document. So they DID copy the info for a specific project.

  32. Reason number 163... by Anonymous Coward · · Score: 0

    Reason number 163 why you NEVER give your real email address to a business.

  33. Re:Why are They Lecturing Us About Password Securi by BronsCon · · Score: 1

    Have a corporate policy that says "Thou shalt not use thy corporate password outside of the corporation's computer systems, or thou shalt be fired." Then when a publicly visible violation occurs, you invoke the penalty clause in a public fashion, so that everyone can see you take the policy very seriously.

    Mhm... One flaw...

    It's heartless and ugly and cruel...

    ...and it requires one user to violate it before it becomes an effective deterrent. Even then, it only serves as a warning to those presently employed; n00bs won't have gotten the message.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  34. spamgourmet is your friend by ilsaloving · · Score: 1

    For those that don't know, there is a simple and fantastic service called SpamGourmet. You can create disposable addresses on the fly, control how many emails they accept, etc.

    http://spamgourmet.com/

  35. Kudos to Dropbox ... by bill_mcgonigle · · Score: 1

    ... for taking the problem seriously. I've been contacting folks lately when my unique e-mail addresses are compromised. Most never write back. I got a call back from the TiresByWeb folks, which seemed promising, but their IT guy told me that it was impossible, that the spammers must have guessed the address, and that they don't want to have me as a customer anymore. Your call if you want to ever hand them credit card information in the future.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:Kudos to Dropbox ... by jroysdon · · Score: 1

      Well, if was dropbox@yourdomain.com, I could see that argument. I started using sitename.YYYYMMDD@mydomain.com to prove beyond the shadow of a doubt. As I my own mail servers, either the recipient, one of our ISPs, or one inbetween would have had to skimmed the email address. I've had a dozen or so sites leak these addresses. If I don't need them, I just block the aliases on my server. If I need them (domain registrar, etc.), I just bump the date, make sure I get the change confirmation email, and then block the old email.

    2. Re:Kudos to Dropbox ... by bill_mcgonigle · · Score: 1

      Well, if was dropbox@yourdomain.com, I could see that argument

      yeah, not quite that generic, and only that one site's address got spam, and it was a vendor I had a business relationship with.

      sitename.YYYYMMDD@mydomain.com

      Good thought. Now that I'm using LastPass this becomes feasible for me too. Thanks - I'll start doing that.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  36. Lousy password security by efalk · · Score: 1

    For years, service providers have been beating up their customers to get them to use secure passwords, but time after time, it turns out that the service providers are the worst security offenders.

    What is it going to take to get the services to take security seriously?

    It's not that hard: Build a dedicated authentication server. Account names and passwords (preferably hashed) are stored there, and NOT in any other database on any other server owned by the service. The authentication server acts as a near black box, accepting credentials and returning a simple yes/no answer. Only a very few employees have access to the authentication server. Naturally, the server itself sits inside the DMZ, inaccessible from the outside world.

    It might not be perfect, but it would have stopped all of the major password breaches I've ever heard of.

    1. Re:Lousy password security by Anonymous Coward · · Score: 0

      But not this one!

  37. Re:Why are They Lecturing Us About Password Securi by 0100010001010011 · · Score: 1

    I'm a huge fan of Google's. I have it installed on my phone, tablet and iPod touch. If I lose one I can revoke that authentication. I have been out at a friend's house and couldn't login once but the security benefits outweigh any issues I've ever had with it. Anytime I login from a non-standard computer I type in a generated number.

  38. Security is Important by Ali+Liaqat · · Score: 1

    Security should be a part of service providers core Philosophy; and If security isn’t part of the cloud DNA, good luck bolting it on later. Here's some useful resource to learn more about Cloud security: http://www.dincloud.com/security Hope you'll find it informative and useful.

  39. "...you can use a friend's number" by tepples · · Score: 1

    a la Google

    Which would require each customer to maintain mobile phone service.

    2-factor authentication is optional at most places that use it.

    I was referring specifically to Google. In some countries, one can't create a Gmail account without a phone number. See for example this help page: "If you don't have a phone, you can use a friend's number"

    Stop being stupid.

    Y u no assume good faith?

  40. No Google Play on Raspberry Pi by tepples · · Score: 1

    Then again, you could probably run it in your homebrew portable raspberry pi running android

    I don't see how. From Installing Google Authenticator: "1. Visit Google Play." Downloads from Google Play require the Play Store app to be installed on the device, and this app comes only on certified devices. A Raspberry Pi running AOSP Android is not a certified device because as I said yesterday, I'm not aware of a profile in the Android CDD for desktop or set-top devices.

  41. normal security seriously by Anonymous Coward · · Score: 0

    Dropbox should definitely take security seriously being a cloud based

    Thats sounds normal

  42. Re:Why are They Lecturing Us About Password Securi by Anonymous Coward · · Score: 0

    The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..

    Why in the hell did he have a list of customer email addresses in his account?

    Is this a common practice there.. to let employees store copies of customer data all over the place?

    I think dropbox has proven repeatedly they really don't care about the security of their customers data.

    yes that's right, dropbox take it serius.