topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 7:05 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Dropbox Security Failure  (Read 6248 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Dropbox Security Failure
« on: August 01, 2012, 04:20 PM »
A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Read the rest here:

http://blog.dropbox....update-new-features/

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox Security Failure
« Reply #1 on: August 01, 2012, 06:28 PM »
@Deozaan: Thanks for the heads-up.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Dropbox Security Failure
« Reply #2 on: August 01, 2012, 07:04 PM »
Any company not comparing every major password breach against their own users' credentials (especially the freakin' staff!!) (not to mention having a higher authentication barrier for staff) should be ****.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Dropbox Security Failure
« Reply #3 on: August 02, 2012, 03:35 PM »
Keeping Dropbox secure is at the heart of what we do,
LOL.

Also,
In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)
That one is very scary. If the passwords are stored in any reasonable way (salted+hashed), they won't be able to do this. But considering that user data isn't encrypted with unique per-user keys, and the previous security "oopses" that DropBox have had, well...
- carpe noctem

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Dropbox Security Failure
« Reply #4 on: August 02, 2012, 03:46 PM »
I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox Security Failure
« Reply #5 on: August 02, 2012, 05:18 PM »
I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.
^ Yes. Probably not a failure per se by Dropbox.
It seems to me as though they have come clean about what looks to be a lapse in internal security policy/procedure, and it will be fixed and presumably no-one is to be given 50 lashes for the lapse.
Wuala begins to look better and better...

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox Security Failure
« Reply #6 on: August 02, 2012, 06:10 PM »
I just don't see why this is a security failure on the part of Dropbox.  Sure, they've had their failures, but this doesn't seem to be one of them.

The reason I used the word "failure" was more down to a brain-fart than anything else. I just couldn't (and still can't) think of a more appropriate word. It wasn't really a Dropbox vulnerability. Not really a Dropbox leak. Dropbox wasn't exactly hacked... So what is it?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Dropbox Security Failure
« Reply #7 on: August 02, 2012, 07:49 PM »
It's more social hacking than anything else, I think.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Dropbox Security Failure
« Reply #8 on: August 03, 2012, 03:26 AM »
It's more social hacking than anything else, I think.

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Dropbox Security Failure
« Reply #9 on: August 03, 2012, 06:47 AM »
It's more social hacking than anything else, I think.

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

I guess it doesn't really matter... other than the fact that I don't think this has anything to do with dropbox security.  If I give my password to someone and they use it to access my account, is it the system's fault?  Pretty much, this is the same thing- the passwords were already compromised, and the people in question didn't change it on their accounts.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Dropbox Security Failure
« Reply #10 on: August 03, 2012, 07:13 AM »
Well... Here's what I find troubling:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts
-The Article

Passwords were stolen from "other websites" ...(Hm.../...And the buck pass goes for the long bomb!)... Anytime something is worded that carefully...somebody is full of shit.

The confusion is being caused by that key yet carefully misworded statement.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Dropbox Security Failure
« Reply #11 on: August 03, 2012, 11:51 AM »
It's more social hacking than anything else, I think.

I think the word just came to me, though it still isn't quite fitting. Perhaps a more appropriate title would be: "Dropbox Security Exploited"

I guess it doesn't really matter... other than the fact that I don't think this has anything to do with dropbox security.  If I give my password to someone and they use it to access my account, is it the system's fault?  Pretty much, this is the same thing- the passwords were already compromised, and the people in question didn't change it on their accounts.
It might not affect the security of the dropbox software directly (but as has been shown previously, that was already bad enough).

But do consider that employees can access your files - that was one of the flaws shown previous (dropbox claimed they couldn't, and later kinda fuddle-backtracked trying to claim that "our CEO can, but he's not an employee"). If dropbox employees are that easy to social-engineer, and they keep stuff like usernames and email addresses under so little security...  :-\
- carpe noctem