Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Confirms Email Addresses Were Pilfered

Posted by Unknown on from the three-factor-auth-coming-to-a-store-near-you dept.

bigvibes writes "A couple of weeks ago Dropbox hired some outside experts to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee's account was hacked, allowing access to user e-mail addresses." This particular employee had a list of user emails stored in their Dropbox. To prevent future incidents, Dropbox is moving toward two-factor authentication.

4 of 89 comments (clear)

  1. Re:Nice of the hackers to tell us by evilRhino · · Score: 5, Informative

    Actually, the hackers didn't tell anyone. If people hadn't set up specific email addresses for their dropbox account, checked these boxes for mail, and reported spam, this might have never been discovered.

  2. Re:Nice of the hackers to tell us by rgbrenner · · Score: 5, Insightful

    A small company isn't likely to have security experts on staff, and even if they do there's no guarantee those experts will catch every break-in.

    Dropbox is not exactly a small company.. They had $240 million in revenue in 2011 entirely from storing customer data.. Seems like they could spend 1% or 2% of that on security. http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/

    It's been just over a year since the login-without-a-password dropbox security breach... Where they said "a few hundred" accounts were accessed, but had no way of verifying how many were actually accessed.

    It's all just so incredibly sloppy.

    Why are they still in business? They obviously don't know what they are doing. I have no idea how can anyone trust them with their data.

  3. Lecturing Us About Password Security? by Captain+Hook · · Score: 5, Informative

    given that the emails were obtained from a file held in a Dropbox employee's account I'm not sure why they are talking about it in the context of this break-in.

    The employee used the same password for his work/dropbox account and some other website. That other website got hacked and the attackers got his password from that other site.

    When the hackers tried his credentials on the dropbox site, they found his dropbox account used the same password and were able to access all the files he was storing which contained a list of names and email addresses.

    They are mentioning using different passwords for different sites not because they are worried about your password but because it was how dropbox themselves got attacked.

    --
    These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
  4. Re:Why are They Lecturing Us About Password Securi by rgbrenner · · Score: 5, Insightful

    The whole thing is some kind of joke. Just forget for a moment that the employee used the same password on multiple sites..

    Why in the hell did he have a list of customer email addresses in his account?

    Is this a common practice there.. to let employees store copies of customer data all over the place?

    I think dropbox has proven repeatedly they really don't care about the security of their customers data.