22 Comments

Summary:

Dropbox reports that the recent spam attacks that impacted some European customers occurred when hackers used passwords obtained from outside sites to access some Dropbox accounts. The company promised a new two-factor authentication option and offered other tips.

dropbox
photo: Photo courtesy Dropbox

Maybe this will put an end to all that “Dropbox of the Enterprise” talk by cloud storage providers.

On Monday night, Dropbox acknowledged that spam mailings afflicting users starting a few weeks ago happened when hackers used passwords obtained from third-party sites to access “a small number” Dropbox user accounts. The company called in outside experts to help its security pros and here’s what they discovered, according to the Dropbox blog. 

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

It also said it would start offering a two-factor authentication option in a few weeks and is providing a new web page to let Dropbox account holders check out accesses to their account.

The company also recommended that users select unique (and new) passwords for all their accounts to help bolster security.

The post was met with skepticism and anger by some online commenters. One wanted to know why a Dropbox employee had user email addresses to begin with. Others said there is no evidence that old passwords are inherently insecure and others pointed out that they always use unique passwords and were still hit by spam.

The situation is reminiscent of the LinkedIn security issue in June, as TechCrunch pointed out.

This is just the latest proof that cloud-deployed services are not immune from security — and other — snafus that impact any technology. But it’s a rude wakeup call to consumers who love the easy-to-use offerings and employ them without a ton of thought. The whole “Dropbox of the enterprise” meme started when dozens of companies touting IT-friendly cloud storage all glommed onto Dropbox’s huge popularity in the consumer market to position themselves. Dropbox claims 50 million users but is also flying into a headwind as Apple iCloud, Microsoft SkyDrive, Google Drive and other consumer-friendly options gain traction.

One comment on the site sums up sentiment that must keep Dropbox executives up at night. Wrote commenter Albundy:

“I left the cloud world. Right now. BB dropbox.”

  1. SkyDrive is a better option.

    Share
    1. SkyDrive? Nah, waiting for Google Drive! Sky Drive is not that great and is difficult to use, limited to one platform as well.

      Share
      1. RichardSimmons Wednesday, August 1, 2012

        waiting for google drive? its been here for a while.. a glorified google docs:
        https://drive.google.com/start#home

        Share
      2. updated the story w/ more dropbox competitors. your comments reminded m. thanks

        Share
  2. Of the three major providers Dropbox, Microsoft and Google. Dropbox is the one I trust the least with my sensitive data (if any at all). I posted back in April that I’m not a big fan of dropbox. I like the platform but I don’t think they have the internal controls in place.

    Share
    1. Dropbox is constantly improving their product and I believe they will iron out all the glitches and issues pretty soon – don’t give up on it just yet.

      Barb, SugarSync and Wuala might be worth mentioning too.

      Share
      1. My data is too important. I’ll let someone else take the chances as they learn how to do this correctly.

        Share
    2. Could you post a link to an article about dropbox security issues? Many people have told me they are concerned, but none have a valid reason that applies specifically to Dropbox. And considering that this breach was NOT due to Dropbox security specifically, but 3rd party server security, it appears that dropbox is doing pretty well, considering all the big names that have been hacked recently (sony, microsoft and google among them).

      Share
      1. I replied to this and it didn’t show up. It may have hit the SPAM. So, I’ll link to my own post which has the link you are looking for. http://virtualizedgeek.com/2012/04/28/who-do-you-trust-with-your-data-google-microsoft-or-dropbox/

        Share
    3. Can you explain why you feel this way? It sounds like you mean it specifically for dropbox, but considering all the hacking cases in the past year (sony, microsoft, google) and this story shows that dropbox security was breached by 3rd parties, it actually seems they are doing a decent job, and will now only increases their security. I have many people tell me they are concerned, but none have been able to give me a good reason…

      Share
  3. They WERE NOT HACKED. Emails and passwords from other sites have been used on dropbox ! so if you used the same password on dropbox and on an unknown forum, that’s the forum that’s been hacked and used on dropbox.

    Share
    1. They were hacked because personal data they had for their actual users was stolen from one of their own administrator that didn’t practice good password policy. Not sophisticated but its a security breach they need to take responsibility for in their own policies.

      Share
    2. They were hacked obviously. I used an unique email alias for dropbox only, and now I’m getting spam emails via that specific email address. I use an unique email addresses for every single website that I visit so it is easier for me to track down what caused the spam problem. It is obviously they were hacked.

      Share
  4. Wuala is my choice (www.JetCityOrange.com/wuala/). While Dropbox is convenient, I only use it for things that I *assume* will be public whether I specify them as public or not. For example, I use Dropbox for web site files because they’re going online any way.

    Share
  5. This is a rather misleading article. The fact that some people used the same passwords on other services which were then used to access their accounts on Dropbox says nothing about Dropbox’s security. If an employee’s account was accessed, bad for them, but again it says nothing about Dropbox’s security. Having a list of user email addresses is bad practice, obviously, but this article is headlined and written only to make for a seemingly exciting story, which just isn’t there, I’m sorry to say.

    Share
  6. Most consumer cloud services require users to upload their data and make copies of their files as well as account credentials in the public cloud. However that is not to say all cloud services are insecure… while most vendors take a similar approach to copy data out in order to provide remote and mobile access, but there are still other solutions who can solve the problem and allow companies to keep their data safe with a different approach. For example here at Oxygen Cloud we allow companies to keep their data using their own storage, and we don’t have access to corporate passwords either so the passwords can be stored safely behind own firewalls.

    Cloud analyst Ben Kepes actually made a really good argument on how Dropbox was never meant for the enterprise. To avoid compromising data security and rogue users, IT should also take the initiative to explore other solutions to address user needs in a more secure manner that meets their own requirements. http://www.cloudave.com/21173/dropbox-security-issues-it-has-itself-to-blame/

    Share
  7. You could also mention:
    – Res Hyperdrive (http://www.ressoftware.com)
    – Accellion / Kitedrive (http://www.accellion.com)
    – Sparkweave (http://www.sparkweave.com)
    – …

    Major players in private cloud file sharing

    Share
  8. How could they have been hacked? if the end users are stupid enough to use the same login credentials wherever they go on the web, then its the end users fault? If you give your username and password for any service to someone you don’t know or trust and then complain when that person uses it, who is to blame? People need to start taking responsibility for their own security, not shifing the blame for their own incompetent actions. Its a shame that most people these days seem to be lacking any common sense.

    Share
    1. How could they have not been hacked if end users are smart enough to use an unique email address for each different sites, yet they get SPAM through the email address that was only used for dropbox. Because I’m getting spam through the alias used for dropbox.

      Share
  9. no wonder I’m getting spam emails through my unique email alias created for dropbox.

    Share
  10. I’m using a different encryption solution added on top of the cloud storage (typically BoxCryptor + Dropbox) rather than trusting built-in (if any) encryption from these storage providers. This way, you need 2 passwords, not related to access my data and even if you break-in Dropbox and copy everything, it won’t help (even filenames are mangled). BTW I agree that everything I put under Dropbox, I consider it “potentially public”. I’m sure there are flaws too, but seems to be much more serious protection and it works well on iOS, Android, Linux, Mac and Windows

    Share
  11. if someone got valid credentials, how can that be considered a hacked? is not dropbox fault. Am i missing something?

    Share

Comments have been disabled for this post