Dropbox Security Failure

[Deozaan]

A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

-http://blog.dropbox.com/index.php/security-update-new-features/

Read the rest here:

http://blog.dropbox....update-new-features/

[IainB]

@Deozaan: Thanks for the heads-up.

[Ehtyar]

Any company not comparing every major password breach against their own users' credentials (especially the freakin' staff!!) (not to mention having a higher authentication barrier for staff) should be ****.

Ehtyar.

[f0dder]

Keeping Dropbox secure is at the heart of what we do,

LOL.

Also,

In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

That one is very scary. If the passwords are stored in any reasonable way (salted+hashed), they won't be able to do this. But considering that user data isn't encrypted with unique per-user keys, and the previous security "oopses" that DropBox have had, well...

[wraith808]

I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

[IainB]

I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

-wraith808 (August 02, 2012, 03:46 PM)

^ Yes. Probably not a failure per se by Dropbox.
It seems to me as though they have come clean about what looks to be a lapse in internal security policy/procedure, and it will be fixed and presumably no-one is to be given 50 lashes for the lapse.
Wuala begins to look better and better...

[Deozaan]

I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

-wraith808 (August 02, 2012, 03:46 PM)

The reason I used the word "failure" was more down to a brain-fart than anything else. I just couldn't (and still can't) think of a more appropriate word. It wasn't really a Dropbox vulnerability. Not really a Dropbox leak. Dropbox wasn't exactly hacked... So what is it?

[wraith808]

It's more social hacking than anything else, I think.

[Deozaan]

It's more social hacking than anything else, I think.

-wraith808 (August 02, 2012, 07:49 PM)

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

[wraith808]

It's more social hacking than anything else, I think.

-wraith808 (August 02, 2012, 07:49 PM)

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

-Deozaan (August 03, 2012, 03:26 AM)

I guess it doesn't really matter... other than the fact that I don't think this has anything to do with dropbox security.  If I give my password to someone and they use it to access my account, is it the system's fault?  Pretty much, this is the same thing- the passwords were already compromised, and the people in question didn't change it on their accounts.

[Stoic Joker]

Well... Here's what I find troubling:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts

-The Article

Passwords were stolen from "other websites" ...(Hm.../...And the buck pass goes for the long bomb!)... Anytime something is worded that carefully...somebody is full of shit.

The confusion is being caused by that key yet carefully misworded statement.

[f0dder]

It's more social hacking than anything else, I think.

-wraith808 (August 02, 2012, 07:49 PM)

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

-Deozaan (August 03, 2012, 03:26 AM)

I guess it doesn't really matter... other than the fact that I don't think this has anything to do with dropbox security.  If I give my password to someone and they use it to access my account, is it the system's fault?  Pretty much, this is the same thing- the passwords were already compromised, and the people in question didn't change it on their accounts.

-wraith808 (August 03, 2012, 06:47 AM)

It might not affect the security of the dropbox software directly (but as has been shown previously, that was already bad enough).

But do consider that employees can access your files - that was one of the flaws shown previous (dropbox claimed they couldn't, and later kinda fuddle-backtracked trying to claim that "our CEO can, but he's not an employee"). If dropbox employees are that easy to social-engineer, and they keep stuff like usernames and email addresses under so little security...