Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Confirms Email Addresses Were Pilfered

Posted by Unknown on from the three-factor-auth-coming-to-a-store-near-you dept.

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

8 of 89 comments (clear)

  1. Nice of the hackers to tell us by MrEricSir · · Score: 4, Interesting

    In so many of these cases, the only reason anyone finds out that a site or service was hacked was that the hackers were nice enough to brag about it in public or leave some kind of obvious trail.

    It makes one wonder: how much black hat hacking goes undetected? A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

    --
    There's no -1 for "I don't get it."
    1. Re:Nice of the hackers to tell us by evilRhino · · Score: 5, Informative

      Actually, the hackers didn't tell anyone. If people hadn't set up specific email addresses for their dropbox account, checked these boxes for mail, and reported spam, this might have never been discovered.

    2. Re:Nice of the hackers to tell us by rgbrenner · · Score: 5, Insightful

      A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

      Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/

      It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.

      It's all just so incredibly sloppy.

      Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.

    3. Re:Nice of the hackers to tell us by Glendale2x · · Score: 3, Insightful

      Another question would be why does an employee have an list of user email addresses stored in their account? If employees can export customer data like that who cares how many factors of authentication they add.

      --
      this is my sig
  2. Why are They Lecturing Us About Password Security? by McDee · · Score: 4, Insightful

    Okay so yes it's a good idea to have different passwords for each website, but given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    And yes, two-factor authentication would be very nice. Please do it using an already-existing system like YubiKey rather than make your own.

  3. Ummm... by fuzzyfuzzyfungus · · Score: 3, Insightful

    And why, pray tell, did this dropbox employee have a list of user email accounts stored in his dropbox?

    Unless they run things rather differently than everybody else in the universe, user emails aren't exactly zOMG Super Secret; but they tend to reside somewhere in the bowels of the system for mailing-list and password reset purposes handled largely by automated tools, not in list form in human file storage areas. Outside of the relatively small number that might collect during the course of handling support requests or the like, why would an employee have any use for a substantial list of addresses, stored insecurely?

  4. Lecturing Us About Password Security? by Captain+Hook · · Score: 5, Informative

    given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.

    When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.

    They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
  5. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 5, Insightful

    The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..

    Why in the hell did he have a list of customer email addresses in his account?

    Is this a common practice there.. to let employees store copies of customer data all over the place?

    I think dropbox has proven repeatedly they really don't care about the security of their customers data.