Main Area and Open Discussion > Living Room

Dropbox Security Failure

(1/3) > >>

Deozaan:
A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.-http://blog.dropbox.com/index.php/security-update-new-features/
--- End quote ---

Read the rest here:

http://blog.dropbox.com/index.php/security-update-new-features/

IainB:
@Deozaan: Thanks for the heads-up.

Ehtyar:
Any company not comparing every major password breach against their own users' credentials (especially the freakin' staff!!) (not to mention having a higher authentication barrier for staff) should be ****.

Ehtyar.

f0dder:
Keeping Dropbox secure is at the heart of what we do,
--- End quote ---
LOL.

Also,
In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
--- End quote ---
That one is very scary. If the passwords are stored in any reasonable way (salted+hashed), they won't be able to do this. But considering that user data isn't encrypted with unique per-user keys, and the previous security "oopses" that DropBox have had, well...

wraith808:
I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

Navigation

[0] Message Index

[#] Next page