Dropbox hack results in stolen usernames and passwords, new security measures

Dropbox is an extremely popular cloud storage service used by many people, including me and likely you. However, popularity or size doesn’t mean you are immune from hackers. Since a few weeks Dropbox users have been complaining of a sudden increase in spam to e-mails that they only use for Dropbox. Dropbox has now confirmed that spam is related to a recent Dropbox security breach.

What happened is Dropbox was hacked and a bunch of usernames and passwords were stolen. One such user account belongs to a Dropbox employee and contained a file that had Dropbox users’ e-mail addresses. This document is the reason why many Dropbox users were (are?) being spammed.

Aside from the spam issue, the obvious issue at hand is the usernames and passwords of some Dropbox users were stolen. Dropbox has already contacted the affected users and informed them about the breach so they can change their passwords, and Dropbox has introduced a bunch of new security features to help prevent this from happening in the future:

  • Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
  • New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
  • A new page that lets you examine all active logins to your account.
  • In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

While I understand that anyone can be hacked, it must be asked: does Dropbox store passwords in plain-text? Because, obviously, the hackers used the stolen info to login to user accounts meaning either passwords were (are) stored in a poorly protected format or were (are) stored in plain-text. What the hell Dropbox.

[via Engadget]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

22 comments

  1. Nostradamus

    @jayesstee:
    You’re right! Rather call me fortune teller :)
    BTW: If these two are totally unrelated (main mistake of that guy was to use iStuff everywhere, including the (i).mac address being his password reset address for other accounts) /and/ the content is encrypted(!!!) there is pretty low probability to loose all.
    To integrate your point: A local USB-disk (or server) backup never hurts…

  2. jayesstee

    @Frank: Quote:
    ““I just proposed to use at least TWO independent cloud storages.”

    I must be a GENIUS :) ”

    Yup. “TWO independent cloud storages” gives you twice the chance of being hacked! :) :)

    That’s not what I call GENIUS. ;)

  3. Frank

    @jayesstee:
    MATE???!!
    You don’t know what ;) means???

    BTW: Regarding the LEAs I could help you if you told me your name/address. Nowadays one only needs to accuse you of terrorism –> pls. NOTICE the ;) –> ;)

    And IMHO noone needs to fear cloud as long as he uses strong encryption. I just proposed to use at least TWO independent cloud storages. Just in case one vanished… (one of my 4 VPS did these days after having been bought by a bleeding French company… BTW, you remember GWBushs idea about france?)

  4. jayesstee

    @Frank: Quote:
    “mate, don’t be so negative! How much less probable is it your home burns or is flooded vs. my LEA example?”

    In my (longish) married life I have had two homes burgled. I currently live near the coast, just metres above sea level. My home is surrounded by trees. So fire, flood or theft is a small, but definate risk. I have never been raided by a LEA nor am I knowingly aquainted with anyone who has. (There was low level earthquake 40 miles away, out at sea about 8 or 10 years ago, but I’m not worrying about this risk.)

    IMHO, off site backup is a sensible precaution, but using the ‘cloud’ is an additional, unnecessary risk.

  5. Stacey

    Thanks on your marvelous posting! I quite enjoyed reading it,
    you’re a great author. I will be sure to bookmark your blog and will often come back at some point. I want to encourage you to continue your great job, have a nice weekend!

  6. Frank

    @ovl: yeah, thought about this too. Some say the Chinese built it into hardware already for their own use ;)

    Anyway: What you wite only needs to worry ciminals. Usual People do not fear having their data seen by LEAs (they have better to do). But I do fear having all my data taken away and having no access anymore fo months.

  7. ovl

    “*just think about the LEAs raid your home (can happen to anyone)… For that reason either use TryCrypt and store the container online or even use file name encryption like BoxCryptor gives” .

    If the law enforcement agencies (LEAs) can raid anyone’s home, then any network computer may have a “rootkit monitoring tool” which is tracking files in HDs and sending the information to hackers. If this case BoxCryptor virtual disk data is completely accessible for this monitoring tool as the decrypted virtual disk works like any other system drive, it means, completely transparent for any Windows application and hackers will be able to see the decrypted content of the encrypted folder.

  8. jayesstee

    @Frank:

    Sorry Frank, it must be an “age” thing, but for serious/valuable transactions, I want to deal with organisations that if necessary, I can go and kick their door. (Yes I do buy off the web, but the more expensive the purchase, the more safeguards I take. I wouldn’t buy a new megabuck 50″ 3D TV from a site with no checkable landline ‘phone number, address, etc.)

    Off site backup storage is essential for the reasons you give amongst others (fire, theft, flood, eathqake etc.), but it must be in a place that you have control over, including the ability visit. The “cloud” doesn’t fit that defination.
    Of course it might cost money, if you don’t have a local friend or relative.

    Everybody clamours for free cloud storage without considering what is in it for the cloud storage providers – no such thing as a lunch!

  9. Frank

    @jayesstee:
    well, this online storage and the sync between devices can be very handy. Besides: One always should backup valuable data off-site too. So besides your and my USB-disks there is a real use for online storage*
    One just needs to put a tiny bit of money and/or work in security. Even if it only was to stop your provider sniffing through your data (one guys M$ accounts [SkyDrive, Hotmal, Skype, …] were all locked/cancelled because he had ‘inappropriate content’ stored). For that reason either use TryCrypt and store the container online or even use file name encryption (like BoxCryptor gives).

    * just think about the LEAs raid your home (can happen to anyone, for instance because you legally bought in a shop that does illegal stuff too) and you get all your data taken away and get it back after 6 months or more. Then your best backup at home is useless…

  10. jayesstee

    @Frank:

    Is it only obvious to you and me? Internal or external hard drives aren’t that expensive.

    Why do people want to put private and/or valuable data in a storage facility over which they have no control?

    Do they store their domestic valuables under next door’s hedge?

  11. Frank

    …it’s the most stupid thing for /anyone/ to store unencrypted data on /any/ cloud or public server.
    Nothing would have happened had that guy used BoxCryptor or one of its competitors (or simply ZIPed the files using AES encryption).

  12. Zapped Sparky

    A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

    Well done dropbox! Allowing an employee to keep users e-mail addresses (not passwords I hope) in a place that ANYONE on the net can access! Seriously, when are companies going to start protecting this information properly? It’s not that difficult to encrypt something that a supercomputer would take a few days/weeks to crack.

    I’m going to refer to such breaches in security from now on as [company name] post-it-note-gate :)

  13. Mike

    These thefts are totally out-of-hand, for all of our daily lives. What legal liability is there for these companies, and does the government need to step in with the threat of huge fines for less-than-adequate protections?