This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Dropbox email addresses leaked? - Security worry?

Has anyone seen this?



[url="http://forums.dropbox.com/topic.php?id=64367"]http://forums.dropbox.com/topic.php?id=64367[/url]



[url="http://techcrunch.com/2012/07/17/dropbox-users-targeted-by-spam-possible-address-leak-to-blame/"]http://techcrunch.com/2012/07/17/dropbox-users-targeted-by-spam-possible-address-leak-to-blame/[/url]



[url="http://www.zdnet.com/dropbox-investigating-why-its-users-are-being-spammed-7000001081/"]http://www.zdnet.com/dropbox-investigating-why-its-users-are-being-spammed-7000001081/[/url]



[url="http://gizmodo.com/5926811/dropbox-users-report-unusual-spam-and-possible-security-breach"]http://gizmodo.com/5926811/dropbox-users-report-unusual-spam-and-possible-security-breach[/url]





Several people are complaining about receiving spam on email addresses they *only* use for Dropbox, and they're not all simply "dropbox@domain" so may not have just been randomly generated by the spammers.



Dropbox is apparently looking into it, but I find it rather worrying. It wouldn't be the first issue that Dropbox has had, given that major screw up it had last year.

Comments

  • khad
    khad Social Choreographer
    edited July 2012
    Thanks for the links! This is the first I've heard of it. It will be interesting to see what the story actually is once the speculation gives way to facts.
  • Well, Dropbox has now revealed the results of its investigation...



    [url="http://blog.dropbox.com/index.php/security-update-new-features/"]http://blog.dropbox....e-new-features/[/url]



    [quote][color=#363636]A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.[/color]

    [left]Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.[/left]



    [left][color=#363636]A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.[/color][/left]



    [left][color=#363636]Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:[/color][/left][list]

    [*][url="http://en.wikipedia.org/wiki/Two-factor_authentication"]Two-factor authentication[/url], a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)

    [*]New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.

    [*]A [url="https://www.dropbox.com/account#security"]new page[/url] that lets you examine all active logins to your account.

    [*]In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

    [/list]

    (snip)[/quote]





    I'm guessing the "stolen passwords" were from e.g. LinkedIn, Last.fm or some other site that was hacked recently, and that the users in question foolishly used the same password for Dropbox...



    Rather worrying though that one of the "stolen passwords" was used to access a Dropbox employee's account - surely they should know better than to use the same password?!





    All my passwords are unique, and Dropbox has not contacted me, so I guess I don't have to worry about that side of things.



    Two-factor authentication and actual details for logins (instead of *only* giving the IP of the desktop client) are definitely a good idea. Pity that they were not done earlier, but it's a very good step at least.
  • khad
    khad Social Choreographer
    YAPR. (Yet another password reuse.) Two-factor wouldn't have even been necessary in this case if there was no password reuse. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/sad.png' class='bbc_emoticon' alt=':(' />