Welcome Guest.   Make a donation to an author on the site December 22, 2014, 09:45:57 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Check out and download the GOE 2007 Freeware Challenge productivity tools.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Dropbox Security Failure  (Read 2096 times)
Deozaan
Charter Member
***
Posts: 6,539



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: August 01, 2012, 04:20:07 PM »

A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Read the rest here:

http://blog.dropbox.com/i...rity-update-new-features/
Logged

IainB
Supporting Member
**
Posts: 4,932


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #1 on: August 01, 2012, 06:28:56 PM »

@Deozaan: Thanks for the heads-up.
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: August 01, 2012, 07:04:16 PM »

Any company not comparing every major password breach against their own users' credentials (especially the freakin' staff!!) (not to mention having a higher authentication barrier for staff) should be ****.

Ehtyar.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: August 02, 2012, 03:35:49 PM »

Quote
Keeping Dropbox secure is at the heart of what we do,
LOL.

Also,
Quote
In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
That one is very scary. If the passwords are stored in any reasonable way (salted+hashed), they won't be able to do this. But considering that user data isn't encrypted with unique per-user keys, and the previous security "oopses" that DropBox have had, well...
Logged

- carpe noctem
wraith808
Supporting Member
**
Posts: 6,592



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: August 02, 2012, 03:46:39 PM »

I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.
Logged

IainB
Supporting Member
**
Posts: 4,932


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: August 02, 2012, 05:18:14 PM »

I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.
^ Yes. Probably not a failure per se by Dropbox.
It seems to me as though they have come clean about what looks to be a lapse in internal security policy/procedure, and it will be fixed and presumably no-one is to be given 50 lashes for the lapse.
Wuala begins to look better and better...
Logged
Deozaan
Charter Member
***
Posts: 6,539



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: August 02, 2012, 06:10:42 PM »

I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

The reason I used the word "failure" was more down to a brain-fart than anything else. I just couldn't (and still can't) think of a more appropriate word. It wasn't really a Dropbox vulnerability. Not really a Dropbox leak. Dropbox wasn't exactly hacked... So what is it?
Logged

wraith808
Supporting Member
**
Posts: 6,592



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: August 02, 2012, 07:49:25 PM »

It's more social hacking than anything else, I think.
Logged

Deozaan
Charter Member
***
Posts: 6,539



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: August 03, 2012, 03:26:51 AM »

It's more social hacking than anything else, I think.

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"
Logged

wraith808
Supporting Member
**
Posts: 6,592



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: August 03, 2012, 06:47:13 AM »

It's more social hacking than anything else, I think.

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

I guess it doesn't really matter... other than the fact that I don't think this has anything to do with dropbox security.  If I give my password to someone and they use it to access my account, is it the system's fault?  Pretty much, this is the same thing- the passwords were already compromised, and the people in question didn't change it on their accounts.
Logged

Stoic Joker
Honorary Member
**
Posts: 5,450



View Profile WWW Give some DonationCredits to this forum member
« Reply #10 on: August 03, 2012, 07:13:21 AM »

Well... Here's what I find troubling:
Quote from: The Article
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts

Passwords were stolen from "other websites" ...(Hm.../...And the buck pass goes for the long bomb!)... Anytime something is worded that carefully...somebody is full of shit.

The confusion is being caused by that key yet carefully misworded statement.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #11 on: August 03, 2012, 11:51:32 AM »

It's more social hacking than anything else, I think.

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

I guess it doesn't really matter... other than the fact that I don't think this has anything to do with dropbox security.  If I give my password to someone and they use it to access my account, is it the system's fault?  Pretty much, this is the same thing- the passwords were already compromised, and the people in question didn't change it on their accounts.
It might not affect the security of the dropbox software directly (but as has been shown previously, that was already bad enough).

But do consider that employees can access your files - that was one of the flaws shown previous (dropbox claimed they couldn't, and later kinda fuddle-backtracked trying to claim that "our CEO can, but he's not an employee"). If dropbox employees are that easy to social-engineer, and they keep stuff like usernames and email addresses under so little security...  undecided
Logged

- carpe noctem
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.035s | Server load: 0.04 ]