Feeds

back to article Dropbox blames staffer's password reuse for spam flood breach

Web attic Dropbox has admitted spammers got hold of its users' email addresses after an employee reused his or her work password on a website that was subsequently hacked. Suspicions of a breach at the online storage service arose two weeks ago when punters received floods of unwanted messages touting gambling sites at addresses …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

It's ok...

...the cloud IS the future.

5
0
Childcatcher

Plain

Wow...all sounds very high tech! I wonder if the file was .csv or .xls format. I am glad the email addresses weren't encrypted either. Amazing. Where will the wonderful cloud future take us next?

4
2
Silver badge
FAIL

Re: Plain

If the breach involves a moron who is re-using private passwords for company passwords, encryption isn't likely to help because he's also 95% likely to have the unencrypted password stored in the same locker with a non-descriptive title like "password for customer database".

2
1
Thumb Up

Re: Plain

You optimist you Tom! 95% indeed! My favourite non-descriptive title to date.

2
0
WTF?

Obvious question...

Why did they need a "project document with user email addresses"? What project could possibly require a document of all users email addresses, isn't that what the user database is for? Or was this just a select few users that happened to be quite vocal?

7
0
Bronze badge

Dropbox

I'll add this one to the list of reasons why people shouldn't use dropbox for anything that they want to keep private.

I'm a big fan of dropbox, I find it useful to transfer files between computers, but I wouldn't dream of storing anything sensitive on there.

I'm glad to see that the employees are entirely convinced that the service is secure and are seemingly unaware of the security hole they are peddling.

4
0

Re: Dropbox

>> I'll add this one to the list of reasons why people shouldn't use dropbox for anything that they want to keep private.

So what would you reccomend I used instead then that is secure even if you give someone your full login details?

0
0

Re: Dropbox

Anything that understands he should only login from specified locations for a start? with authenicated key type devices.

But hell, just a single password and email address to bring them;

0
0
Silver badge

Re: Dropbox

Dropbox is fine if YOU have encrypted the stuff you're storing. If you're relying on someone else's encryption then you're already doing it wrong.

That's 2 security breaches in as many months for Dropbox, isn't it?

3
0
Silver badge

Re: Dropbox

"So what would you reccomend I used instead then that is secure even if you give someone your full login details?"

The answer is none of them. If cloud has the means to see your files then so does anybody else who has the means to log into your account.

The only solution is secondary encryption, e.g. hold your valuable files inside an encrypted zip file.

If DropBox or Skydrive or Google Drive were serious about security they'd implement client side encryption so users could password or key protect certain folders. The password / key would be used to encrypt data and file names sent to their servers and decrypt it coming back. The provider would have no idea what the contents of the file were because they only see the encrypted data.

The reason they don't do this is because they do want to know what files you're storing. If 3000 people are storing a 250Mb Eclipse 3.4 distributable on their cloud drive they want to be able to store just one instance to that file instead of 3000 of them. Encrypted files prevent them from making that determination.

It still isn't an acceptable excuse for sensitive information which is going to be unique anyway and demands adequate protection.

1
0
Silver badge

Re: Dropbox

It doesn't matter what you use provided that it's a TrueCrypt container/s (or whatever) and it's encrypted before the cloud sees it. Deduplication is someone else's problem. It's my job to ensure that data doesn't escape.

1
0
Silver badge
Paris Hilton

Erm

"Web attic Dropbox has admitted spammers got hold of its users' email addresses after an employee reused their work password on a website that was subsequently hacked."

Simply put, an employee had a list of email addresses in his dropbox account which got leaked. How does this relate to the corresponding passwords getting lifted??

1
5
(Written by Reg staff) Silver badge

Re: Erm

"How does this relate to the corresponding passwords getting lifted?"

Assuming you're being serious, I had hoped this was obvious: if not, then I've failed as a sub-editor.

If, say, you have a Dropbox account and a CrappoMail web mail account, and you use the same email address and password for both, and then CrappoMail is compromised and the hackers have your email address and password - they can log into the Dropbox account.

From there, the hacker can find a document with Dropbox users' email addresses. These are then turned over to a spam bot for fun and profit.

C.

3
0
Silver badge
Facepalm

Re: Erm

My bad - on first reading it looked like Dropbox were helping users secure their mailbox after they'd used a staffers details to steal others.

0
0
Silver badge
Facepalm

Re: Erm

Or to clarify my error further, I thought the passwords for the email addresses lifted from the staffer's account were lifted too.

0
0
Law

"Dropbox has admitted spammers got hold of its users' email addresses"

Translation - emails were stolen

"after an employee reused their work password on a website that was subsequently hacked"

Translation - the hackers only had one password, the employees, who had the file.

So... no passwords of users were stolen, just a silly employee who reused their work password... a big no no.

3
0
Go

Dropbox

I use a TrueCrypt file within dropbox for any documents - private or not.

3
0
Anonymous Coward

Re: Dropbox

Shane8, how does that speed work out? Doesn't it need to re-upload the whole single large .tc file when you add something?

2
0
Gav
Bronze badge
Holmes

Re: Dropbox

Dropbox would treat it as one honking big file that is constantly changing and constantly being downloaded/uploaded. Secure, but very inefficient.

You also need Truecrypt to hand on every computer you wish to access your dropbox from. Only way to ensure that is to carry it on a USB stick with you at all times (or be constantly downloading it). If you have a USB stick on you at all times, then why bother with dropbox?

2
0
Anonymous Coward

Re: Dropbox

I think dropbox uses rsync, so it is fairly efficient at updating the partial changes to the truecrypt file.

Most folk don't need dropbox access from World+Dog so having a few machines (home/parents/work/etc) with trucrypt on it is enough for those who value their privacy.

0
0
Silver badge

How about this for an idea

The DropBox client should have a nice user friendly wizard which allows users to protect one or more folders with an encryption key. The client can even offer to generate the key as well as tools to import one. The key encrypts everything before it is sent to DropBox servers and decrypts everything before it is reconstituted on disk. At no point does DropBox even know what the files are so there is no risk of it being compromised even if someone's account was hacked or a data breach occured.

Yes it might be a bit of a pain to set up even with a wizard and it might mean the folders are inaccessible over the web or older clients. But it would put a user's security into their own hands, and not at the mercy of DropBox's sometimes questionable behaviour.

1
0
Thumb Up

Re: How about this for an idea

Sounds like a good idea. Make sure you tell the folks over at Dropbox...

1
0
Thumb Up

Re: How about this for an idea

Nice idea, but you kind of know that the staffer in question would have a TXT file in his dropbox root with a list of the keys for each of his secured folders in plain.

As we all know, claiming something to be foolproof underestimates the ingenuity of fools...

2
0

Re: How about this for an idea

This is precisely why I use Wuala instead of DropBox

2
0

Re: How about this for an idea

Drop box would not need to have the key under the proposed system. You're right that no system is foolproof of course, but in this scenario the fool would need to be the client.

1
0
Big Brother

Re: How about this for an idea

But how would they mine encrypted files for marketing data/ photos / personal information? Sorry...things to make your experience more tailored!

0
1
Bronze badge

Why cannot DropBox take a cue from Linux or even Win?

Isn't it possible in these two OS's to prevent password re-use? As long as the system keeps user account logs intact, users could be forced to change passwords and be deprived of re-using them within a given window of time, or be denied the re-use of them FOREVER.

It might even be possible to put users of a group into a group and then ban that group's individual members from using identical passwords concurrently or in a given time frame, right? So, if DropBox is smart enough to work in the cloud, why is it seeming to me they did not prevent its own sysadmins from abusing password weaknesses?

0
1
Bronze badge
Stop

Re: Why cannot DropBox take a cue from Linux or even Win?

The point is that the employee used the same email address/password combination on a website EXTERNAL to Dropbox. The external website was comprimised, but the enterprising hacker, realising that the login was silly.staffer@dropbox.com, tried the same details at Dropbox, and it worked.

Unless you're suggesting that every single website in the world somehow shares its user db with every other website in the world, your suggestion isn't going to work.

3
0
Bronze badge

Re: Why cannot DropBox take a cue from Linux or even Win?

Kind thanks for the refresher. I had a nagging feeling that your response was floating n my mind so, thanks for the refresher. That felt better than the the anonymous - 1 someone lobbed at me.

Rgds.

0
0
Anonymous Coward

Cloud storage = secure

Psst wanna buy a used Olympic stadium?

0
0

SpiderOak

Assuming they are telling the truth, SpiderOak is pretty good for keeping items secure as it lives encrypted on their servers and they don't know your password and thus how to decrypt the data themselves. So providing you keep your password safe (and use something sensible and not just 'password'), your data is pretty safe (though, as with all encryption, with enough computing power and access to the original data and encryption algorithm, good old brute force guessing would still decrypt the data).

The SpiderOak client isn't great and I've no idea whether their employees leave files around containing customers' email addresses, but if you'd like to sign up then use the link below and we both get an extra 1GB of storage.

https://spideroak.com/download/referral/7f8fc358f1e5084bb21cd6a13047657b

0
1
FAIL

Multi-factor authentication

Dear Dropbox,

If you did not provide or require multi-factor authentication (MFA) then this breach was simply inevitable and the breach is YOUR fault, the fault of a company that hurried into production a service which handles sensitive data without proper security architecture. Your multiple security breaches illustrate that you simply lack any understanding of information security practices and principles, and your statement blaming an employee indicates you lack managerial and public relations skills as well.

Good luck with your future business. If you'd like the assistance of a professional security architect, please feel free to drop me a line

0
0
Silver badge
Paris Hilton

Web attic

That one took a few seconds to kick in as at first I thought it was a typing error, then I was all like "attic?" oh I get it now, a place where you store all your useless shit until you die and it ends up on Cash in the Attic when your family decide to sell all your private personal processions so that they can fund a three-day trip to Blackpool to play Bingo and get drunk on cheap fortified wine in your memory...

Don't think it actually works to be honest, how about Web Dodgy Dossier or Web Cubby Hole instead?

And why does Firefox's spell checker want me to change it to say "Chubby Hole" that's a bit rude! The perils of open source - should be called open sauce lol

0
0
This topic is closed for new posts.