Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Confirms Email Addresses Were Pilfered

Posted by Unknown on from the three-factor-auth-coming-to-a-store-near-you dept.

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

17 of 89 comments (clear)

  1. Nice of the hackers to tell us by MrEricSir · · Score: 4, Interesting

    In so many of these cases, the only reason anyone finds out that a site or service was hacked was that the hackers were nice enough to brag about it in public or leave some kind of obvious trail.

    It makes one wonder: how much black hat hacking goes undetected? A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

    --
    There's no -1 for "I don't get it."
    1. Re:Nice of the hackers to tell us by evilRhino · · Score: 5, Informative

      Actually, the hackers didn't tell anyone. If people hadn't set up specific email addresses for their dropbox account, checked these boxes for mail, and reported spam, this might have never been discovered.

    2. Re:Nice of the hackers to tell us by rgbrenner · · Score: 5, Insightful

      A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

      Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/

      It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.

      It's all just so incredibly sloppy.

      Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.

    3. Re:Nice of the hackers to tell us by Rob+Riggs · · Score: 2

      I had the same problem with United Airlines about a decade ago. Just about every company I deal with gets their own email address. I started getting spam to the account I used for United. They were actually pretty good about responding when the abuse was brought to their attention. IIRC they traced it back to an email service vendor.

      --
      the growth in cynicism and rebellion has not been without cause
    4. Re:Nice of the hackers to tell us by Glendale2x · · Score: 3, Insightful

      Another question would be why does an employee have an list of user email addresses stored in their account? If employees can export customer data like that who cares how many factors of authentication they add.

      --
      this is my sig
    5. Re:Nice of the hackers to tell us by AmiMoJo · · Score: 2

      I have no idea how can anyone trust them with their data.

      Who says we do? Truecrypt container FTW.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Why are They Lecturing Us About Password Security? by McDee · · Score: 4, Insightful

    Okay so yes it's a good idea to have different passwords for each website, but given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    And yes, two-factor authentication would be very nice. Please do it using an already-existing system like YubiKey rather than make your own.

  3. Ummm... by fuzzyfuzzyfungus · · Score: 3, Insightful

    And why, pray tell, did this dropbox employee have a list of user email accounts stored in his dropbox?

    Unless they run things rather differently than everybody else in the universe, user emails aren't exactly zOMG Super Secret; but they tend to reside somewhere in the bowels of the system for mailing-list and password reset purposes handled largely by automated tools, not in list form in human file storage areas. Outside of the relatively small number that might collect during the course of handling support requests or the like, why would an employee have any use for a substantial list of addresses, stored insecurely?

  4. Re:What does this mean? by RobinH · · Score: 2

    The normal way to implement this (a la Google) is to get your mobile phone number and when you want to login, they text you a secret phrase. You have to type this into the site, along with your normal password, to gain access. Note that you only have to do this every X weeks from each different computer you're logging in from, so you don't have to do it all the time. What it means is that you need to know the password *and* be able to receive texts sent to that phone number in order to login. If someone steals your phone, they shouldn't know the password, and if someone gets your password, they probably don't have your phone. Or at least it's less likely.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
  5. Lecturing Us About Password Security? by Captain+Hook · · Score: 5, Informative

    given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.

    When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.

    They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
    1. Re:Lecturing Us About Password Security? by BronsCon · · Score: 2

      Diversionary tactic or not, how many Dropbox users would understand, or even care about, the privacy implications of Dropbox's security policies? I'm guessing just the ones in this thread, so, by far, the minority. What the email they sent out (I got one, I've read it, I know what it says) does, that you're ignoring, is educate users who don't know better, including the employee whose account was hacked.

      Now, I'm not supporting their securfity practices; certainly, that information should not have been stored in an employee's dropbox, but that's not the point here. Ask yourself, and answer realistically, if Dropbox had sent out an email explaining that one of their employees had a list of email addresses in their dropbox, how many people would have just been like "Oh? See? I knew I was on to something when I started doing that!".

      I don't think Dropbox is trying to get users to blame themselves, I think they're speaking to their largely non-technical audience, in plain terms, and relaying a lesson they just learned, without including details that may confuse those same users. As evidence of this, I present the link from that email, which takes you to their blog, on which the most recent post explains exactly what happened, including all the juicy details you insinuate they're trying to hide.

      To summarize what Dropbox has done here: They sent an email, to their largely non-technical userbase, with some very worthwhile security advice that is (sadly) not common knowledge. In that email, they provide a password change link, a link to a tool to make it easier to keep track of multiple passwords, and a link to the explanation of why they are doing this and a real-life example of exactly why the user should follow the advice. That's pretty powerful stuff; one has to wonder, if every company were as proactive in cleaning up their security messes as Dropbox is being in this instance, would the number of idiot users be reduced?

      Now, I understand the point of view you're probably coming from. If Dropbox, and other companies, were more proactive in preventing these types of security issues altogether, idiot userd would be less of a problem. Here's where that point of view fails: The security issue here was an idiot user, not a Dropbox policy or a flaw in their system. There wasn't anything Dropbox could have done to prevent this, except to educate their users (and employees), it was entirely under the control of an idiot who didn't know better. User education is the correct response. Yes, they could have educated their users before this incident, but without a clear example to answer the "why are you shoving this in my face?" question, those who didn't simply ignore the advice would get pissed off or offended, then ignore the advice. And who's to say their policy hasn't been, from day one, "don't use the same password here that you use elsewhere"? How would they enforce it? They can't.

      Sadly, if it means more work for the user, the user will ignore it. Even with this incident, and a clear explanation of what can happen, you know as well as I do that 90% of users are going to change their Dropbox password, then promptly change all their other passwords to match it. At least we won 10% of users, today.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  6. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 5, Insightful

    The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..

    Why in the hell did he have a list of customer email addresses in his account?

    Is this a common practice there.. to let employees store copies of customer data all over the place?

    I think dropbox has proven repeatedly they really don't care about the security of their customers data.

  7. You'd think at least the Dropbox people ... by dbIII · · Score: 2

    You'd think at least the dropbox people would be aware of how insecure dropbox is.
    You let somebody in and they can always get in - changing the password doesn't change the key and only gives the illusion that you are locking people out.

  8. Re:Are you doing enough though? by kaushik · · Score: 2

    Companies do try in earnest. I'd be willing to admit that bigger companies probably try a lot harder. Firms like Ebay are constantly training (and retraining) their employees on social engineering, document security, the risks of transferable media (e.g. USB drives), etc.

    However, it is practically impossible for a company to put bulletproof safeguards around things like:

    + Laziness (opting for convenience vs. security)
    + Ignorance
    + Malice (intentional compromise of information)
    + Plain old human error

    So the question really becomes, when has a company done enough...?

  9. Re:stackoverflow too... by uigrad_2000 · · Score: 2

    How do you know it was dropbox that let your address out?

    I use spamgourmet to create unique email addresses for every site that wants my email address. I've used this for nearly 10 years and have created 616 different email addresses. The one I used for dropbox has never received spam, but I have gotten spam on the addresses I created for a samsclub rebate, and for the email address I used to make an account with Sony Online Entertainment, and on a few various other websites. These types of database cracks are common, and it really shouldn't be a news story.

    I do not wish to advertise for the site mentioned above. As it stands now, google and yahoo mail both give the opportunity to make disposal email addresses now, so the service I use is no longer unique. But, I do recommend that everyone does use a service of this type, so that you can shut down only the addresses that you get spam with.

    --
    Free unix account: freeshell.org
  10. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 2

    Excuse me.. but please don't make up explanations and ask us all to pretend it's ok.

    Dropbox says it was a project document with hundreds of customer email addresses.

    I don't know about you, but I don't call my email client a "project document"

  11. Re:Why are They Lecturing Us About Password Securi by Wamoc · · Score: 2

    It wasn't the employees email that was hacked. An employees Drop Box account was hacked that had a file with client email addresses in it. They seriously need to create and enforce some rules on storing customer data.