Blog Post

Dropbox: Yes, we were hacked

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Maybe this will put an end to all that “Dropbox of the Enterprise” talk by cloud storage providers.

On Monday night, Dropbox acknowledged that spam mailings afflicting users starting a few weeks ago happened when hackers used passwords obtained from third-party sites to access “a small number” Dropbox user accounts. The company called in outside experts to help its security pros and here’s what they discovered, according to the Dropbox blog. 

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

It also said it would start offering a two-factor authentication option in a few weeks and is providing a new web page to let Dropbox account holders check out accesses to their account.

The company also recommended that users select unique (and new) passwords for all their accounts to help bolster security.

The post was met with skepticism and anger by some online commenters. One wanted to know why a Dropbox employee had user email addresses to begin with. Others said there is no evidence that old passwords are inherently insecure and others pointed out that they always use unique passwords and were still hit by spam.

The situation is reminiscent of the LinkedIn(s lnk) security issue in June, as TechCrunch pointed out.

This is just the latest proof that cloud-deployed services are not immune from security — and other — snafus that impact any technology. But it’s a rude wakeup call to consumers who love the easy-to-use offerings and employ them without a ton of thought. The whole “Dropbox of the enterprise” meme started when dozens of companies touting IT-friendly cloud storage all glommed onto Dropbox’s huge popularity in the consumer market to position themselves. Dropbox claims 50 million users but is also flying into a headwind as Apple(s aapl) iCloud, Microsoft(s msft) SkyDrive, Google(s goog) Drive and other consumer-friendly options gain traction.

One comment on the site sums up sentiment that must keep Dropbox executives up at night. Wrote commenter Albundy:

“I left the cloud world. Right now. BB dropbox.”

22 Responses to “Dropbox: Yes, we were hacked”

  1. philippe

    I’m using a different encryption solution added on top of the cloud storage (typically BoxCryptor + Dropbox) rather than trusting built-in (if any) encryption from these storage providers. This way, you need 2 passwords, not related to access my data and even if you break-in Dropbox and copy everything, it won’t help (even filenames are mangled). BTW I agree that everything I put under Dropbox, I consider it “potentially public”. I’m sure there are flaws too, but seems to be much more serious protection and it works well on iOS, Android, Linux, Mac and Windows

  2. Snoopy104

    How could they have been hacked? if the end users are stupid enough to use the same login credentials wherever they go on the web, then its the end users fault? If you give your username and password for any service to someone you don’t know or trust and then complain when that person uses it, who is to blame? People need to start taking responsibility for their own security, not shifing the blame for their own incompetent actions. Its a shame that most people these days seem to be lacking any common sense.

    • Ronald Zia

      How could they have not been hacked if end users are smart enough to use an unique email address for each different sites, yet they get SPAM through the email address that was only used for dropbox. Because I’m getting spam through the alias used for dropbox.

  3. Most consumer cloud services require users to upload their data and make copies of their files as well as account credentials in the public cloud. However that is not to say all cloud services are insecure… while most vendors take a similar approach to copy data out in order to provide remote and mobile access, but there are still other solutions who can solve the problem and allow companies to keep their data safe with a different approach. For example here at Oxygen Cloud we allow companies to keep their data using their own storage, and we don’t have access to corporate passwords either so the passwords can be stored safely behind own firewalls.

    Cloud analyst Ben Kepes actually made a really good argument on how Dropbox was never meant for the enterprise. To avoid compromising data security and rogue users, IT should also take the initiative to explore other solutions to address user needs in a more secure manner that meets their own requirements.

  4. This is a rather misleading article. The fact that some people used the same passwords on other services which were then used to access their accounts on Dropbox says nothing about Dropbox’s security. If an employee’s account was accessed, bad for them, but again it says nothing about Dropbox’s security. Having a list of user email addresses is bad practice, obviously, but this article is headlined and written only to make for a seemingly exciting story, which just isn’t there, I’m sorry to say.

  5. jetcityorange

    Wuala is my choice ( While Dropbox is convenient, I only use it for things that I *assume* will be public whether I specify them as public or not. For example, I use Dropbox for web site files because they’re going online any way.

  6. They WERE NOT HACKED. Emails and passwords from other sites have been used on dropbox ! so if you used the same password on dropbox and on an unknown forum, that’s the forum that’s been hacked and used on dropbox.

    • They were hacked because personal data they had for their actual users was stolen from one of their own administrator that didn’t practice good password policy. Not sophisticated but its a security breach they need to take responsibility for in their own policies.

    • Ronald Zia

      They were hacked obviously. I used an unique email alias for dropbox only, and now I’m getting spam emails via that specific email address. I use an unique email addresses for every single website that I visit so it is easier for me to track down what caused the spam problem. It is obviously they were hacked.

  7. Of the three major providers Dropbox, Microsoft and Google. Dropbox is the one I trust the least with my sensitive data (if any at all). I posted back in April that I’m not a big fan of dropbox. I like the platform but I don’t think they have the internal controls in place.