Dropbox blames staffer's password reuse for spam flood breach Web attic Dropbox has admitted spammers got hold of its users' email addresses after an employee reused his or her work password on a website that was subsequently hacked. Suspicions of a breach at the online storage service arose two weeks ago when punters received floods of unwanted messages touting gambling sites at …
I'll add this one to the list of reasons why people shouldn't use dropbox for anything that they want to keep private.
I'm a big fan of dropbox, I find it useful to transfer files between computers, but I wouldn't dream of storing anything sensitive on there.
I'm glad to see that the employees are entirely convinced that the service is secure and are seemingly unaware of the security hole they are peddling.
"So what would you reccomend I used instead then that is secure even if you give someone your full login details?"
The answer is none of them. If cloud has the means to see your files then so does anybody else who has the means to log into your account.
The only solution is secondary encryption, e.g. hold your valuable files inside an encrypted zip file.
If DropBox or Skydrive or Google Drive were serious about security they'd implement client side encryption so users could password or key protect certain folders. The password / key would be used to encrypt data and file names sent to their servers and decrypt it coming back. The provider would have no idea what the contents of the file were because they only see the encrypted data.
The reason they don't do this is because they do want to know what files you're storing. If 3000 people are storing a 250Mb Eclipse 3.4 distributable on their cloud drive they want to be able to store just one instance to that file instead of 3000 of them. Encrypted files prevent them from making that determination.
It still isn't an acceptable excuse for sensitive information which is going to be unique anyway and demands adequate protection.
"Web attic Dropbox has admitted spammers got hold of its users' email addresses after an employee reused their work password on a website that was subsequently hacked."
Simply put, an employee had a list of email addresses in his dropbox account which got leaked. How does this relate to the corresponding passwords getting lifted??
"How does this relate to the corresponding passwords getting lifted?"
Assuming you're being serious, I had hoped this was obvious: if not, then I've failed as a sub-editor.
If, say, you have a Dropbox account and a CrappoMail web mail account, and you use the same email address and password for both, and then CrappoMail is compromised and the hackers have your email address and password - they can log into the Dropbox account.
From there, the hacker can find a document with Dropbox users' email addresses. These are then turned over to a spam bot for fun and profit.
C.
"Dropbox has admitted spammers got hold of its users' email addresses"
Translation - emails were stolen
"after an employee reused their work password on a website that was subsequently hacked"
Translation - the hackers only had one password, the employees, who had the file.
So... no passwords of users were stolen, just a silly employee who reused their work password... a big no no.
Dropbox would treat it as one honking big file that is constantly changing and constantly being downloaded/uploaded. Secure, but very inefficient.
You also need Truecrypt to hand on every computer you wish to access your dropbox from. Only way to ensure that is to carry it on a USB stick with you at all times (or be constantly downloading it). If you have a USB stick on you at all times, then why bother with dropbox?
The DropBox client should have a nice user friendly wizard which allows users to protect one or more folders with an encryption key. The client can even offer to generate the key as well as tools to import one. The key encrypts everything before it is sent to DropBox servers and decrypts everything before it is reconstituted on disk. At no point does DropBox even know what the files are so there is no risk of it being compromised even if someone's account was hacked or a data breach occured.
Yes it might be a bit of a pain to set up even with a wizard and it might mean the folders are inaccessible over the web or older clients. But it would put a user's security into their own hands, and not at the mercy of DropBox's sometimes questionable behaviour.
Isn't it possible in these two OS's to prevent password re-use? As long as the system keeps user account logs intact, users could be forced to change passwords and be deprived of re-using them within a given window of time, or be denied the re-use of them FOREVER.
It might even be possible to put users of a group into a group and then ban that group's individual members from using identical passwords concurrently or in a given time frame, right? So, if DropBox is smart enough to work in the cloud, why is it seeming to me they did not prevent its own sysadmins from abusing password weaknesses?
The point is that the employee used the same email address/password combination on a website EXTERNAL to Dropbox. The external website was comprimised, but the enterprising hacker, realising that the login was silly.staffer@dropbox.com, tried the same details at Dropbox, and it worked.
Unless you're suggesting that every single website in the world somehow shares its user db with every other website in the world, your suggestion isn't going to work.
Assuming they are telling the truth, SpiderOak is pretty good for keeping items secure as it lives encrypted on their servers and they don't know your password and thus how to decrypt the data themselves. So providing you keep your password safe (and use something sensible and not just 'password'), your data is pretty safe (though, as with all encryption, with enough computing power and access to the original data and encryption algorithm, good old brute force guessing would still decrypt the data).
The SpiderOak client isn't great and I've no idea whether their employees leave files around containing customers' email addresses, but if you'd like to sign up then use the link below and we both get an extra 1GB of storage.
https://spideroak.com/download/referral/7f8fc358f1e5084bb21cd6a13047657b
Dear Dropbox,
If you did not provide or require multi-factor authentication (MFA) then this breach was simply inevitable and the breach is YOUR fault, the fault of a company that hurried into production a service which handles sensitive data without proper security architecture. Your multiple security breaches illustrate that you simply lack any understanding of information security practices and principles, and your statement blaming an employee indicates you lack managerial and public relations skills as well.
Good luck with your future business. If you'd like the assistance of a professional security architect, please feel free to drop me a line
That one took a few seconds to kick in as at first I thought it was a typing error, then I was all like "attic?" oh I get it now, a place where you store all your useless shit until you die and it ends up on Cash in the Attic when your family decide to sell all your private personal processions so that they can fund a three-day trip to Blackpool to play Bingo and get drunk on cheap fortified wine in your memory...
Don't think it actually works to be honest, how about Web Dodgy Dossier or Web Cubby Hole instead?
And why does Firefox's spell checker want me to change it to say "Chubby Hole" that's a bit rude! The perils of open source - should be called open sauce lol
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
