Security update & new features

Posted by Aditya Agarwal on July 31, 2012

A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen, including:

  • Two-factor authentication, a way to optionally require two proofs of identity (such as your password and a temporary code sent to your phone) when signing in. (Coming in a few weeks)
  • New automated mechanisms to help identify suspicious activity. We’ll continue to add more of these over time.
  • A new page that lets you examine all active logins to your account.
  • In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites.

If you have any questions or concerns, please contact us at support+security@dropbox.com. We’re committed to keeping your Dropbox safe and will continue to monitor this situation carefully.

270 Comments to Security update & new features

sethgodin
August 1, 2012

I think it was a mistake to send the new password note to your users asking them to click on a link to enter a new password. It looks a lot like phishing (which it isn't, of course). Thanks for working hard to keep up security.

Matt Dodd
August 1, 2012

Thanks for the information :-)

The additional security measures will be much appreciated. It's a pity that they were not implemented sooner, however. I actually suggested 2-step authentication and activity logs to Dropbox support way back in June 2011 after the last security issue caused accounts to be accessible without passwords…

Prem S
August 1, 2012

i agree – i came to this blog to see if it was a valid email – thats not the best way to inform users  - please make a clear blog post saying that the email is from you… i think you've just freaked out a bunch of people…

tomh
August 1, 2012

uhh, so if we got the email, should we be worried about having the contents of our dropbox accessed? that could have some major ramifications. 

KennyMac
August 1, 2012

I agree with Prem S and Seth (Seth Godin? The author? If so, AWESOME!) — that email smelled fishy to me.

Evan
August 1, 2012

I agree sethgodin. also – why would you send this from no-reply@dropboxmail.com? http://www.dropboxmail.com doesn't even redirect to your website, or resolve in DNS. Yes, the authoritative name servers for the domain are dropbox.com, but that is a mute point.

NobodySpecial
August 1, 2012

 MOOT point. Sorry, pet peeve.

Nigel
August 1, 2012

I agree with the comments about the inappropriateness of the announcement e-mail – I am being regularly warned not to follow links in e-mails, as this is the way phishers work. I was very concerned about the unsolicited DropBox email, so also came here to check. this is just slack DropBox behaviour – come on team, we expect better! (and thanks for keeping us aware of the security issues)

Nigel
August 1, 2012

I agree with the comments about the inappropriateness of the announcement e-mail – I am being regularly warned not to follow links in e-mails, as this is the way phishers work. I was very concerned about the unsolicited DropBox email, so also came here to check. this is just slack DropBox behaviour – come on team, we expect better! (and thanks for keeping us aware of the security issues)

Nigel
August 1, 2012

I agree with the comments about the inappropriateness of the announcement e-mail – I am being regularly warned not to follow links in e-mails, as this is the way phishers work. I was very concerned about the unsolicited DropBox email, so also came here to check. this is just slack DropBox behaviour – come on team, we expect better! (and thanks for keeping us aware of the security issues)

David Smith
August 1, 2012

I share the concern over the way in which you've gone about contacting users. In addition, there was no need for me to change my password to start with (I use 1Password). Now, I have no choice but to change my password — and then update my account details on all my various devices! Much better if you'd invited your users/customers to consider if they should change their password …

Gonzalo Alvarez
August 1, 2012

Seriously guys, that email smelled like phishing. A LOT. You could do better than that… 

Mathieu Longtin
August 1, 2012

Nowhere in the blog post does it mention resetting passwords. Nor does it mention that weirdly suspicious email. 

I just tried to login to my account, and it accepted my old password.

Is my password reset or not? Or does it reset upon clicking the link? Did you send this to everybody or just people with suspicious activity? 

Kevin
August 1, 2012

I didn't get the email from dropbox but I did receive the euro dice spam

Nathan Pinkerton
August 1, 2012

I would like to add my voice to the growing list of those who dislike how this was handled.
I am very security conscious, and have a personal policy of NEVER clicking a link in email. This goes doubly for unsolicited emails regarding passwords. It is simply too easy to make a malicious link look legit. I should point out, also, that I use LastPass and use a different, unique, randomly generated password for each site… so I was a little suspicious of the email, to begin with… OK, a LOT suspicious.

So, upon receiving the email (suspicion level: 9000), I first did a google search with the contents of the email as a my search term… no hits. Suspicion level: +100

Next, I visit dropbox.com, looking to see if there is a notice on the homepage. No notice. Suspicion level: +50

I attempt to log in to dropbox.com. Invalid username or password. Suspicion level: +9999999999

I attempt to change my password, but I am thwarted by my inability to log in (see above). Frustration level: +100

Find this blog post, decide the email is legit, and after multiple attempts to change my password, or use the “forgot my password” tool, I decide that my only option is the break my rule, and click the link in my email. Suspicion level: 0 Frustration level: +999999999

Now, I am going to have to explain, to friends and family, that I am the default tech support for, why it is OK, *just this once*, to click a link in an unsolicited email, and give them your password.

Beyond all that; I am concerned regarding one of the two criteria that you named, in this blog post, that might possibly cause someone to be required to change their password. Specifically, I am concerned about the criterion, “if it's commonly used.” Ideally, passwords should be stored in your database as salted hashes, with the salt being something unique in each password (just like you recommend that people use a different password for each site). If this is the case, there is no way for you to know if any given password is commonly used, since all you would know about it is that it hashed to a string of characters that looks like gibberish. I suppose that, if you are hashing the passwords, unsalted or with a static salt, you could tell if the password is common by comparing the hashes in your password database… but that also would mean that the bad-guys could do the same if that database were ever compromised… and heaven help us if the passwords are stored in plain text.

Ryan Goldstein
August 1, 2012

A better (IMO) alternative to 1Password is LastPass: https://www.lastpass.com/

It's free – but if you want a Premium subscription, which provides priority support, mobile device access, and a few other features, it only costs $12/year.

guest
August 1, 2012

I totally thought this was a phishing scheme!  I was just about ready to forward it to Dropbox security when I started seeing it pop up on Twitter.  dropboxmail.com?  Really?  For something this important?

And forcing users to change their password NOT because your storage of those passwords/hashes was compromised, but because there might be a slight chance that I reuse my DBox password on another website that *was* compromised (which I don't).  Wow, I think that this action is really poor judgement on the part of the DBox team.  Maybe send out an email first telling that you'd like us to consider changing our password before you just change it on us without warning.

Very disappointing.

Andrew Bartelt
August 1, 2012

I had previously used lastpass to generate a random 8 character password. I don't appreciate having to reset it.

Chris Beaven
August 1, 2012

Please use the standard RFC 6238 two-factor authentication algorithm…

r3v
August 1, 2012

It's a MOO point.

It's like a cow's opinion. It's moo.

r3v
August 1, 2012

Unless YOUR system was compromised, MY password was secure. :/ I follow good security protocols.

Paul
August 1, 2012

This is a joke? Right?

I already use a unique password for Dropbox, Because A: i'm not a moron and B: I use a password management app that makes this kind of thing trivial. But yet, because some of your users have trouble remembering their own name and go around the internet with the same password on each site, I have to reset MY password?!?

Poor form Dropbox. Really poor form.

None
August 1, 2012

Just another reason to move to Google Drive.  Cheaper, better, already has 2-factor authentication, never sends fishy email…  I've just cancelled and will not be renewing my Dropbox account.

GT
August 1, 2012

Just got the very suspicious looking email, and am now shocked to learn that it's legit. It breaks all the commonsense rules that we've all earned about not clicking on unknown links. Not at all cool, Dropbox!

Ryan Kearney
August 1, 2012

Hey calm down buddy. Phishing emails rarely, if EVER, include the persons name in them. The fact that the email addressed you by your first name should have cast some doubt on your assumption that it was a phishing email.

Secondly, you can see the link points to dropbox.com, so there's really no cause for alarm.

Finally, I just logged into my Dropbox account using my “old” password with no issues at all. I could have ignored this email all together and I wouldn't have noticed a thing.

Ryan Kearney
August 1, 2012

“It's free, unless you want to sync it with a mobile device, which you'll pretty much have to if you want to get Dropbox or anything for that matter on your phone.”

I stopped using LastPass due to their god awful UI and inability to write an iOS app that doesn't look like it's written in Java on a BlackBerry.

Ryan Kearney
August 1, 2012

If you bothered to read the email, you would have noticed this piece:

“We haven’t detected any suspicious activity in your Dropbox, but we’re proactively taking steps to keep users safe.”

If your Dropbox WAS accessed, it was because you used the same password on another site that was hacked, which is just bad on your part.

Ryan Kearney
August 1, 2012

I didn't reset my password and have no problems logging in with my “old” password.

Ryan Goldstein
August 1, 2012

That's true; I'm not a big fan of their iOS app either. However, they released a new, redesigned version a couple weeks ago that improves look and functionality. It's still not great, but it's certainly better than it was.

http://itunes.apple.com/us/app

Chris Hulbert
August 1, 2012

Can i plug my own app here or is that poor form? Well i'll do it anyway: http://www.skeletonkeyapp.com/

sqweasel
August 1, 2012

I like the Google Drive feature (eula) where you let Google look at all of your files.  That's keen.

Shelley Powers
August 1, 2012

Not here to slam you, just to say I really like the activity page. That's a good idea. 

mcored
August 1, 2012

+Dropbox
Time to support Google Authenticator :)

guest
August 1, 2012

8 characters isn't secure.

guest
August 1, 2012

 Looks like it does redirect now

Kyle Storm
August 1, 2012

Looks like I'm one of those people to whom this reset was quite irrelevant, as I changed my Dropbox password to something more unique, long, yet memorable. It /is/ annoying to have to reset that (even if I'd just change it to be the same again).

That said, I'm glad to hear that while there have been password leaks all over the internet during the recent years, Dropbox wasn't among the companies that say “We take the security of our users VERY seriously!” yet store our passwords in plain text and bite the bad publicity when those passwords are spread all over the net.

Sadly, “one pass to rule them all” is an approach a LOT of users take and whether we like it or not, the vast majority of our population is likely made of those exact idiots that people here say they aren't. Hell, I myself had three or four “main” passwords, but I've been trying to slowly kill that bad habit, what with KeePass and Dropbox making a secure and free multi-platform keychain… For the sake of all those users, I understand the step that Dropbox took and appreciate the effort, though it may have been better to simply advise all the users to change their password on their own terms instead of force-resetting them. Hopefully, the team will learn from the feedback and take that the less aggressive step in the future.

Anyway, I'm looking forward to the two-factor authentication. This is an awesome feature that I first tried with Google and if implemented properly, it will heavily improve the security of my account, making the password alone insufficient to break into it and grab all the data that I store there – something that's been rubbing me the wrong way lately when I wanted to retrieve data from a computer that didn't belong to me.

I really like Dropbox (got almost 12GB from quests, EDU and referrals there – something GDrive likely wouldn't have) and I appreciate what you guys are doing for us. Just try to be a bit less aggressive with things that may not be relevant to some of your users to avoid disruptions in their lives.

Tanel
August 1, 2012

“In some cases, we may require you to change your password. (For example, if it’s commonly used” – WTF.. How does Dropbox know if a password is commonly used? Are the passwords hashed without a salt? 

Nayr
August 1, 2012

And I couldn't. So what? 

Tom Schlick
August 1, 2012

No. They would just check your password against a list of commonly known passwords before it is hashed and salted and compared against the password in their db.

Ryan Kearney
August 1, 2012

Seriously, 8 characters is pathetic. Dropbox did this guy a favor.

Tom Schlick
August 1, 2012

Where did you get that they store passwords in plain text? The only thing about stolen passwords they mention is that someone got a hold of an employee's password and used it to steal a document that contained user emails… nothing about compromised user passwords.

Nathan Pinkerton
August 1, 2012

Kyle, I agree with everything you said… except for the comment about the people here being the idiots we claim not to be (“…those exact idiots that people here say they aren't…”). Since DropBox forced me to change my password, I feel confident in sharing my old password: H$yx&7AwKR!N

My passwords are generated using LastPass' secure password generator. I use 12 characters of mixed case, alphanumerics & special characters. AND, I use unique passwords for each and every site. And I use YubiKey's 2 Factor Authentication everywhere I can, ESPECIALLY on my password store… That being said, I, again, agree with you on all points but that one.

For my thoughts on the other side of this issue, see my post further down the page.

For my recommendation for 2 Factor Authentication, look no further than http://yubico.com/yubikey

Shelley Powers
August 1, 2012

One other comment on your proposed two-factor authentication:

Don't assume your app users have text messaging. I disabled text messaging on my phone, and others may also not have the capability. 
In other words, don't assume everyone is the same. 

guest
August 1, 2012

In order to verify your password at login, Dropbox needs to know the salt and hashing algorithm – they basically convert your typed password into the salted hash that they store server side, and make sure they match.  

In order to verify that you're not using a commonly used password, they could basically try to authenticate against your salted hash, using their list of commonly used passwords.  If they succeed, you receive notice to change account.  

Optimally, they're using unique salt per user, so wouldn't just be able to generate the salted hashes of the commonly used passwords once to compare against everyone.  

Nathan Pinkerton
August 1, 2012

The only way that they could be using that technique to require users to change their passwords after-the-fact, would be if they are storing the results for later comparison… which amounts to the same thing.

The only way your proposed solution works, is if they used it simply to refuse to accept a particular password from being used initially.

Tanel is right to question that statement. It calls into question their password storage policy.

Ideally the passwords should be hashed with unique salt.

If they are using that technique, there is no way to determine if a password is commonly used. So, we can determine from this criterion, we can determine that Dropbox is not using a unique salt when hashing passwords.

We can still hope that they are using SOME kind of salt, because rainbow tables make unsalted hashes almost useless, and plaintext is plain terrifying… and if they are using a static salt, we can only hope that it is not stored in the same database.

Sudhir Khanger
August 1, 2012

Please use Google Authenticator.
Android doesn't show country or last activity.

Tom Schlick
August 1, 2012

No one said that the list of commonly used passwords is generated from their own password list. There are plenty available on the internet to compare against.

Also they can check your password against that list every time you login. Since you are sending it to their server unencrypted (after SSL) they can check it at that time.

Nathan Pinkerton
August 1, 2012

He didn't say that. He said that he was glad that DropBox was not like the companies who say that they are secure then apologize for storing passwords in plaintext after getting hacked. (I paraphrased and reworded, but kept meaning intact)

Guest
August 1, 2012

 client-side encryption :)

Tom Schlick
August 1, 2012

You're correct. I misread the post and thought it was another post. Sorry for the confusion.

Nathan Pinkerton
August 1, 2012

Good point. You are right. I can't think of any reason that would not work.

Damian Harvey
August 1, 2012

Came here to say the same thing. Dreamhost does it. 

Mm
August 1, 2012

 At least Google employees don't reuse their login details from other websites at work
oooooh snaaaap

Nathan Pinkerton
August 1, 2012

It would seem that you and I have transgressed the cardinal law of Internet arguing by admitting fallibility… We may come to know each other very well over the following months, as we endure the court cases surrounding our instigation of the implosion of the Internet.

(We both, within a minute of each other, posted an acknowledgment of being wrong to each other, in separate threads… surely the internet cannot survive this… perhaps an unwarranted ad hominem attack can reset the balance… you jackass)

Barbara Schmitz
August 1, 2012

I'm just a middle-aged-mom user (ask Drew H.) and even I thought the email from DB was phishing…

douglass
August 1, 2012

y'all are a bunch of assclowns. i already *do* use a separate password for every site. either you're lying, and you do have proof my password was stolen (which wouldn't be a surprise given your track record of lying to customers about security) or WTF are you resetting my password for?

jerks.

Tom Schlick
August 1, 2012

Only memes can save us now. We must sacrifice the beautiful memes so they internet gods will show mercy.

Nathan Pinkerton
August 1, 2012

I'm no fan of how this was handled, read my earlier comments for proof.

However, to be fair, they didn't say that you weren't/aren't using unique passwords for different sites (because they have no way of knowing that anyway).

They are saying that a lot of people DO use the same password across multiple sites, and several sites have been compromised recently. So, they decided to reset the password of anyone using a “commonly used” password and/or anyone who hasn't changed their password recently.

You, like I, seem to have been caught by the not-changed-recently criterion.

There is plenty about this to question/be-frustrated-by without false accusations.

Anonymous
August 1, 2012

At least this is better than the last time when all passwords were turned off.

James Wyse
August 1, 2012

Please use google authenticator! I don't need any more of these damn security apps on my phone!

Tanel
August 1, 2012

surely they *can* do it. I'm just doubting they do it, because their wording is rather vague. 

however I changed my password to “secret” – dropbox happily allowed me to do so. also logging in with “secret” gave me no warnings. so.. you believe what you want.

Daniel Osborne
August 1, 2012

Just adding my opinion/information as well, so take it for what it's worth:
Dropbox, adding a link in an email, particularly a security related one at that is a BIG no-no. Apparently from what I've been reading here, it's also the ONLY way to reset it (even worse). 
Now I never received the email, and my password is not particularly secure (so I can get to my password safe database without needing my password safe to login), however I do use a unique email for every account (huge benefit for owning your own domain). Granted that's not an option for everyone.
When I logged in I also was not notified or asked to change my password or anything.
The only reason I heard about it was from a CNet article (with a sensationalist headline).

Adrian
August 1, 2012

1. How the hell do you know if my password is commonly used??? Isn't it supposed to be kept crypted?
2. Since when do you reset my password without me asking that? You could have send an email with “RESET you pass here !!!1111 It has to be now!!!11″ but you don't leave me out my own account until i see the email.

Don't bullshit us, please. If you had a problem, tell us. We're a lot of developers and we understand.

Mike Walker
August 1, 2012

1. If your password's hash matches hashes of commonly used passwords then it's insecure.
2. It's better to reset the password of a potentially compromised account than to have the account accessed by someone with malicious intent.

Sounds like you're just looking for something to be angry about. Dropbox did the right thing.

Erroneus
August 1, 2012

WHAT THE F…………

I do NOT use my dropbox password for multiple-services, in fact I don't use ANY multiple passwords and I use very long password with multple char sets.

You do NOT have my permission to reset my password without ANY warning and letting me know via an email, which at first looks highly like a phising mail.

So how about you cut the BS Dropbox and tell us what's really going on, because this smells A LOT like you fucked up AGAIN, and are trying to cover it up.

I guess that Google Drive looks better and better, prices are better there also.

Adrian
August 1, 2012

no, i'm just not cool when people are not being honest.

Alexander Liffers
August 1, 2012

So much hate. Just change your freakin' passwords and get over it.  So what if you have to change it again now instead of in 30 or 60 days time.  You do change your passwords regularly anyway don't you (directed at all the self purported developer/security/it specialists below)?

Erroneus
August 1, 2012

They handle it right by sending out mails, which at first looks like a phising mail?

They assume that ever of their users are dumb asses who can't make a proper password and know how to use passwords properly. As they explain it, the problem is not with them (though not like we believe them), but with some users, so now they are treating every single one of their users as dumb asses.

Also be prepared for a huge dropbox phising campaign, this will be misused.

Tanel
August 1, 2012

wow, if you are able to match password hash to other hashes at all, it means the whole password database is open to rainbow table attacks. 

Erroneus
August 1, 2012

Well considering Dropbox recently had a information leak and lost multiple dropbox users emails, I would never trust that mail from the fact alone they use my email and name.

I
couldn't login with my old password, as Dropbox decided my 20 char long
passwords with five different char sets, which is ONLY used on Dropbox
was insecure….

Poor poor cover up Dropbox.

Adrian
August 1, 2012

you're missing the point. we're not mad we're changing a password, we're mad we're being lied.

Tero S
August 1, 2012

“A new page that lets you examine all active logins to your account.”
How about also adding a view of last 10 IP's account has logged in. Or at least Geolocation (Country) or AS the logins originated summary-page? Would be great!

alessio alex
August 1, 2012

Let me login with Google, I already have 2 – way auth there I don't want to receive 2 sms-es to my phone.

11231233
August 1, 2012

Login with google or login with Facebook would help to solve this problem

Mj3310
August 1, 2012

Was asked to change my password so changed it and updated lastpass to new password ….. but can only log in with my old password so a bit pointless really :(

Robert Freudenreich
August 1, 2012

Instead of Two-Factor-Authentication (which still does not work if Dropbox gets hacked), you could also use our encryption solution BoxCryptor (http://www.boxcryptor.com) which is optimized for Dropbox, Google Drive or other cloud storage providers. BoxCryptor encrypts your files with your key before they are uploaded to Dropbox and is available for Windows, Mac OS X, Android and iOS.

– Robert from BoxCryptor

Matt W
August 1, 2012

All you've done is make me suspicious of a phishing like email and then piss me off by forcing a password reset when I already use a strong password generated by a password manager which is unique to DropBox. Thanks for nothing; never do this again – you fucked up handling this by making poor assumptions and executing the mail badly.

Czarnik
August 1, 2012

Also try http://store.splashdata.com/?a
Use it on multiple devices and synchronize them!
Larry
2912AG01 17:40 Sydney

Tinnef
August 1, 2012

What I want to know is what are those e-mail adresses just lying around in some random account? If you had any regard for the privacy of your users you keep those adresses where they belong: locked away in a database. There is no reason whatsoever to have them just out in the open in a “project document”. For shame!

Gerard
August 1, 2012

If I understand correct, and I will quote “
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts”.

This means it isn't a weakness of Dropbox but a weakness of the user because he is using similar passwords for similar services.

The only thing you can blame Dropbox is that one employee doesn't take security as most important by using the same password for similar services.

The database of Dropbox isn't breached as I understand correct. Please correct me if I'm wrong. 

Yup
August 1, 2012

If irresponsible companies like you would start hashing the passwords properly, choosing a different password for every site wouldn't be required.

James Banner
August 1, 2012

This isn't the first time Dropbox is compromised. Something tells me there's something fundamentally wrong about their security. I think it's best to go with Google Drive or Microsoft Skydrive than trust Dropbox.

jke
August 1, 2012

What will happen to your careless employee who let this happen in the first place by using the same pwd for Dropbox? 

wiredfire
August 1, 2012

Choosing a different password for every site and every service, even if all such systems *do* correctly hash passwords, is plain simple common sense!  Even if the hashed passwords don't become compromised if *your* single password becomes compromised through human error on your part all your accounts are still at risk.

Tn
August 1, 2012

which is simply not true.
if anyone can grab your password by any means..let it be keyloggers, the best salted hashed password-storage won't help you and all of your accounts are gonna be compromised

sihowells
August 1, 2012

Please DON'T use Facebook or Google products/services as any kind of security measure. I am a little surprised to see so many people on here apparently trusting those corporations with their security and privacy. I was already thinking about moving to a client-side encryption service; if Dropbox gets into bed with either Facebook or Google that will ensure my departure from this service.

Jeroen
August 1, 2012

I would love to see Yubikey support. Best two-factor authentication with OTP :)

Jason Tokarz
August 1, 2012

Agreed.  Given that phishing emails are such a common attack vector, using this method to inform and enforce password changes is irresponsible.  Even if this is genuine and legitimate from Dropbox, it is desensitizing less knowledgeable users to the dangers of clicking on links in emails.

Yup
August 1, 2012

It is true.

When you get keylogged, nothing can help you, but that's the user's respnsibility. As far as web services go, if they hash the passwords properly, it's *impossible* to retrieve them.

It's just stupid to ask the users to keep their passwords safe and at the same time not keep up your end of securing the data.

Yup
August 1, 2012

Most password compromises happen through keyloggers and in that case, as said above, choosing different passwords won't help.

That has nothing to do with the fact that not hashing passwords properly is irresponsible, especially when you run a service with millions of users.

djoos
August 1, 2012

+1 for 2-step auth.

FYI: an alternative to 1Password is KeePass (http://keepass.info/), which is a great free and open source tool.

Jason Tokarz
August 1, 2012

Really?  If somebody has obtained information from a compromised system, is it really that unlikely that they will possibly have your name as well?

As for the link pointing to 'dropbox.com', this is fine if you are knowledgeable to check for that.  However, less knowledgeable people may not know or think to check the true destination of the link and further more, this may well desensitize people (who don't know better) to the fact that clicking links in an email to not good practice.

This is irresponsible in my mind and could have been handled better.

Claudius
August 1, 2012

Our free solution Cloudfogger ( http://www.cloudfogger.com ) offers transparent client side encryption for Dropbox (and also SkyDrive, Google Drive and other cloud storage services). This ensures that – even if someone has at some point access to your Dropbox – he will still not be able to use your data because he will not be able to decrypt it.
Cloudfogger is available for Windows, Mac and Android. An iOS App is in development.GreetingsClaudius from Cloudfogger

Guest
August 1, 2012

A few concerning questions that are not addressed in the above blog:

What was a staff member doing with user's email addresses in such a way?

Why was test or dummy data not used if this was a project document?

What processes are going to be put in place to ensure that user information is not exposed in such a way again?

You say 2-factor authentication will be available, will all Dropbox admin/staff be forced to use this? If not, why?

To use The 2-factor authentication, it's indicated above that a user is going to have to hand over a mobile telephone number to you, why should we trust that information to you when you can't even keep email addresses secure?

You also advise that you will suggest a password reset if the password is commonly used, so how exactly do you secure the passwords on the back end? Are these passwords recoverable to plain-text to check, or will you be running a rainbow table against your own password database to identify weaker passwords?

I expect I won't see an answer to these questions from Dropbox though.

Hacker4748
August 1, 2012

 How is Dropbox responsible for other companies not hashing / salting their users' passwords?

Albundy
August 1, 2012

I left the cloud world. Right now. BB dropbox.

Szaz
August 1, 2012

Presumably he'll become the most security conscious employee at Dropbox. What are you getting at?

Magical525
August 1, 2012

I already have a different password for *everything* and don't appreciate being forced to change my password when it's secure enough already.  Just because some people are idiots and use stupid simple passwords (btw *how* do you know that some people have common passwords? Only way I can think of is if you keep them in plain text and look at them – scary thought) doesn't mean that everybody does NOR that not changing passwords every month/quarter/year or so is insecure either. If you have a separate pass for everything password changes shouldn't be needed unless YOUR site was compromised.

on a side note – keeppass/1password aren't all that safe either – I know people who have had *that* compromised and that caused problems on ALL their sites.

Sander Datema
August 1, 2012

Password are saved as hashes and still you can find weak passwords. For example: my password is applepie and its hash could be 263fd52643e34ad. Dropbox could simple hash a list of weak passwords and then check if those hashes are in their user database. That way they would know you used a weak password.
So, no need for plain text.

Tanel
August 1, 2012

Except that it's wouldn't be much better than plaintext (http://en.wikipedia.org/wiki/R

jke
August 1, 2012

True. I am just wondering how such a security breach can happen and if rapid growth is an excuse for such failure. 

Ulf Benjaminsson
August 1, 2012

[...]  require you to change your password [...] if it’s [...] hasn’t been changed in a long time

Balls to that! To my knowledge, there is no real world research indicating that an old password is inherently insecure. Byte strings are not perishables.

Rasmus Kalms
August 1, 2012

“Cloudfogger”? Don't say that fast in a sentence, or people might misinterpret you :P

John Z
August 1, 2012

Requiring password changes has nothing to do with making your password more secure. It's to guard against the risk that your password was already obtained by a previous breach, maybe months before. If you changed your password, then when the hacker finally sells your password and someone gets around to trying it, then it will not work.

guest
August 1, 2012

1) The presence of a name shouldn't exclude phishing…ever.

2) At the time, I was using the web-based version of Exchange when I received this email.  ExchangeWeb doesn't give you such a nice hover-to-see-the-link-URL; it tags that (HTML encoded) as a parameter to a link back to the exchange server.
3) I find that if I choose to open my dropbox from the system tray/menu bar icon, I can get in (for now).  But I would expect that will change once I reboot my system and I will need to change and reenter my pwd.

'David Cyrus
August 1, 2012

Please send an e-mail to all members who are affected by this issue. 

Anon
August 1, 2012

hashed(password.UniqueSalt)

should never equate to a 'commonly used password'.

didn't get the email as i assume i am not at risk, but i shouldn't have to find out about an issue of interest via mashable and not directly from you.

email us all, explain situation say follow up email to be sent to users at risk. 

Anon
August 1, 2012

How about finally supporting client side encryption?

John Abassian
August 1, 2012

If they are being salted properly, the password “ThisIsAPassword” would be hashed differently every single time someone uses it, that means they cannot know that it's a commonly used password. 

John Abassian
August 1, 2012

If you're using a password manager to generate a random password that it will store and you'll potentially never have to type again, why not make it as long and complex as possible?

Christoph
August 1, 2012

Did Dropbox learned from last incidents? No, same crap communication to a subset of users only as anytime. Why do I have to get such important information from a random twitter account than from an official email from Dropbox?

PWCracker
August 1, 2012

…and still yet another person who doesn't understand passwords and the “why” of routinely changing them.

Christoph
August 1, 2012

 +1

PWCracker
August 1, 2012

EXACTLY -  which is WHY you use stronger passwords and CHANGE them routinely. How hard is this concept people???

PWCracker
August 1, 2012

better YET – go buy a 1T USB drive and connect it directly to your computer.   There's no such things as complete security, encryption or not. If your data is going to the cloud – EXPECT that it can be compromised

thirdxeye
August 1, 2012

Not going to happen because of the internal file matching. But you can use a TrueCrypt container.

Jason
August 1, 2012

Agreed 100%. Multi-factor auth needs to be 100% required across the board for Dropboxe employees.

I was one of the lucky winners that received the email this morning. Why was my email in some random employee's Dropbox???

Instead of implementing 2-factor auth via SMS, which costs us money, please use something like Google Authenticator. And before people flip out, there is no connection made to Google when using the authenticator. LastPass has implemented this, and it works beautifully. If you want to also offer SMS for users with dumbphones, fine, but don't force us all to use SMS.

Jason
August 1, 2012

Presumably you're referring to Google Authenticator? It's just an app that doesn't make any connection back to Google. The apps are just simply TOTP / HOTP clients. Plenty of server-side implementations of those available, and not one of them are from Google or Facebook.

Irwin R. Schyster
August 1, 2012

Cleverly written post that has sparked debate among readers about the passwords they use / re-use.  Dropbox has leaked customer data due to poor data control policies and internal IT policies.  This should be the sole focus of any discussion on this subject.

nate
August 1, 2012

 If you received an email, (as I understand the situation), your email/password was stolen from another company and used to access/try to access your dropbox.

Still, the rest of us want to know why our emails were in some employees dropbox unsecure.

Bajo
August 1, 2012

Hello

My credit card was compromised today. I bought storage in April with my credit card. Could this be connected?

I do not blame Dropbox but I didn't do much shoping since with my credit card. I am still in doing some investigation to found out where credit card was compromised.

Please check your databases…

Best regards

pip010
August 1, 2012

 isnt that way!!! to complicated scenario for such a complicated chore as regular password change.

pip010
August 1, 2012

 or you can use any other crypto provider. like PGP, etc…

Ken Seefried
August 1, 2012

Perhaps I'm missing something.  If recognition of this event stemmed from spam sent to accounts that users “used only for Dropbox”, then how exactly were passwords recovered from “other websites” associated with these accounts?  I understand that users reuse passwords, but an attacker still needs that Dropbox specific username.

Now, if they were claiming that the username+password combo was recovered from the saved credentials in the users browser (something we see malware doing all the time), then I would understand.  But this is clearly not what they are claiming.

pip010
August 1, 2012

 and an alternative to all this madness is to come with your own pattern! hackers dont target individuals! they run scripts! so it was for sure script probing all leaked password to popular websites/services

pip010
August 1, 2012

 Dropbox is insecure. DO NOT USE for sensitive data PERIOD. there similar more secure centric services. BUT, then again dont expect to be as easy to use as dropbox

pip010
August 1, 2012

 there is nothing fundamentally wrong about something essentially missing :D

pip010
August 1, 2012

 not using salting universally!

pip010
August 1, 2012

 and what you use the same password on those services too!? you see, in all practical security production systems, regardless of cryptology or other means, there is always the weak link : PEOPLE :) its amaze me when people think of hackers as geek on a blinking monitor. NO! hacling people is so much easier, aka socialengineering.

pip010
August 1, 2012

 even then, people usually end up using 2 password and change from one ot another. although some admins do check for it. yet better come with PATTERNS than FIXED PASS!

pip010
August 1, 2012

 ” use very long password with multple char sets. “
and how do you keep track and remember 100 pass for 100 sites?

pip010
August 1, 2012

 :) here is a step by step algo (since I assume you are a dev):
1) a user pick pass e.g. “qwerty”  and you hash it (not crypto here)SHA256 in order to save it to DB
2) you have generated, and stored in DB, the hash for common (dictionary) passes like “querty”
3) finally you compare the new user password-hash whether exist in DB, if yes popup warning message

usually you do salting so you dont need to force user pick not-dictionary passowrd, then you hash user pass like “qwerty” + secret strong key-pass (e.g. Qa12#_!0×666) :) you got the point

pip010
August 1, 2012

 well yes. so once the DB is compromised (lets say XSS and SQLinjection) then you can get all hashes and users respectively. then it is easy :) just rainbow
EVEN if you get salted hashes there are other ways to crack, like GPU bruteforece

phlip
August 1, 2012

This means that someone hacked website X, and stole usernames and passwords. They then used those same usernames and passwords to login to dropbox. In cases where people used the same username and password for dropbox as they used for website X, the hackers got access to their accounts, and sent spam from said accounts. 

mcored
August 1, 2012

I hope Dropbox reads these comments. Google Authenticator support is available for Lastpass. It works like a charm! 

JuanD
August 1, 2012

The key is that a Dropbox staffer had used his username+passwd combo on another site. His account was compromised and he had a spreadsheet with user emails (including the unique ones) in his dropbox.

Sbrown7792
August 1, 2012

It sounded like an employee's email and password was 'stolen' in the hack of other websites, and the hackers used his info to log onto DropBox and compromise some users' information.

Kellic
August 1, 2012

Please use Google Authenticator 
http://en.wikipedia.org/wiki/G…  So I'm not installing yet another dang app on my phone for this.  Lastpass already uses Authenticator and its slick.

Douglass
August 1, 2012

 where's the false accusation? where's any accusation? i do assert that they have a nasty habit of lying to users about security. i'm referring to their previous false claims (oh, no, we just misunderstood!) of being a zero-knowledge system.

according to the email, this group of clowns disabled my account and forced a password reset on my for no reason whatsoever. what a bag of dicks! they deserve massive abuse for this, and here i am abusing them.

they also deserve to lose a ton of customers over this, and i think i'm going to switch to wuala, with ubuntu one + encfs as a secondary possibility.

Ryan
August 1, 2012

Oh god! So much confidence and non-sense in the same sentence.
Oh well, people like you are the reason why people like me in IT security have jobs o/

Ryan
August 1, 2012

1Password, keepass, etc.

anonymous
August 1, 2012

Agreed!  Was thinking the same thing.  I don't use dropbox now because of the security issues, but I may give it a second glance – it would be nice if it was integrated with Google authenticator.

pip010
August 1, 2012

 well reusing the same username is even more often than reusing password don't you think?

pip010
August 1, 2012

 I recommend it it in case you have sensitive info and you want it backed up or shared via dropbox!

Ryan
August 1, 2012

A salt should be a per-user & per-password uniq data. But this is no secret data, it appears in database along with the password's hash. It is easy for dropbox to challenge the passwords hash against a dictionary using corresponding salts.

tekwarrior
August 1, 2012

You should start improving security by getting rid off email addresses as user names.

Bob Van Zant
August 1, 2012

I too use Yubikey and would support this. Google authenticator is silly because you have to pull out your phone, type in your passcode, start the app, wait for the ticker to expire and then manually type in ~6 digits.

RoC1909
August 1, 2012

Thank god I didn't use any of my “new” email accounts that don't get ANY spam. Advice…..GET RID OF EMAIL ADDRESSES AS USER NAMES!

Morons!

Irwin R. Schyster
August 1, 2012

I consciously avoid Google as I distrust them and am not alone.  Any move toward a Google affiliated service would be a negative one imo.  Google offer their own service, which is in direct competition with Dropbox, so this is a non-starter.

Bob Van Zant
August 1, 2012

This is simply untrue. Password hashes with salt are still vulnerable to dictionary attacks, they just take longer (how else would they verify a password is correct).

Ryan Goldstein
August 1, 2012

The Google Authenticator app, though created by Google, does not send any data to Google. It's simply a standalone, open-source application that implements TOTP/HOTP and doesn't require or use any network connectivity at all. See https://code.google.com/p/goog… for details.

Richard T
August 1, 2012

I have 300 passwords that I manage in 1Password.  You think I want to change 300 passwords regularly? No.

JaTochNietDan
August 1, 2012

Thanks for the new 2-step authentication update, that's really useful.

Magical525
August 1, 2012

 heh – I understand passwords well enough – they are only as secure as the user and the site you use them on. I change passwords on MY schedule and don't like being forced to.

Magical525
August 1, 2012

 They shouldn't be saved as simple hashes but as uniquely salted ones so it shouldn't be possible to see what is what with them nor see if they are strong or weak etc.

Zim
August 1, 2012

Don't be paranoid. Or -if you are- just download the code, view it yourself, and compile it yourself. You can even make a brand new (better) method so everybody can be free from the evil claws of Google.

Zim
August 1, 2012

Keep in mind that if the password was stored as plain text in other site it's just a matter of trying it elsewhere to see if it works — and then your account is compromised, no matter how good is your password encryption. The weakest link is the user :/

Guest
August 1, 2012

 What do you mean by “unsecure”? Dropbox (repeatedly) documents that files are stored encrypted. The attacker stole the credentials. Poor security education, but not the same thing as “unsecure” storage.

Fahad Uddin
August 1, 2012

Hay seth! A fan of yours. I have putted your ebook on my blog. Why not change to another service like Google drive?

Fahad Uddin
August 1, 2012

I have listed up the comparison of different services like this. Google had offered before what you are offering now. They do this two step verification. I had been a big fan of dropbox but security is a critical issue. 
http://www.startupsandfinance….

Zim
August 1, 2012

As you probably know, users don't care about their passwords like you do. It's important for Dropbox (as a service) to be careful with all their user's information. Better safe than sorry.

Zim
August 1, 2012

Many dumbphones this days have Java, and there's a Google Authenticator version for that too :)

Guest
August 1, 2012

The blog post you are commenting on says really very clearly that the attacker used stolen credentials. That's bad security practice, sure, and I assume being corrected. But not trusting Dropbox because of an extremely solid response with a clear outline of what happened… is really pretty dumb. But have fun.

Zim
August 1, 2012

Sure. But j5mOVbT$sTP!tEU1 is a lot more safer than Y0u25eCuR3p4SsW*rD. Random beats pattern :)

pip010
August 1, 2012

 hehe cloudfogger :)

Zim
August 1, 2012

This failure was expensive for Dropbox. In the other hand, when a person fails it gets experience. So this employee received an expensive training, and as Szaz says it's probably the most security conscious employee at Dropbox.

Zim
August 1, 2012

Even if the pass is salted, if you have the same password in every site you're screwed. It doesn't matter if Dropbox salts and stores your password in the middle of Mordor.

pip010
August 1, 2012

well… depends on the pattern ;)
how random it is :P

Guest
August 1, 2012

There is no information to suggest that “Dropbox is insecure” besides you spouting it like dogma. What?

JSnt
August 1, 2012

Moving to Google Drive…

Trust Is Broken
August 1, 2012

words, words, words. don't need the stress or hassle. moving to box.com. trust is gone and so am i.
peace out.

Dropbox
August 1, 2012

How about (at user's option) keeping and publishing all the information regarding when and from where an account was accessed?

Guest
August 1, 2012

 When has the company *ever* claimed that they were a zero-knowledge system? Ever?

Carsten
August 1, 2012

Uh, oh. In addition: Apparently I have read this to fast: Dropbox users _received_ spam on their account-addy. Anyway, in most parts this still fits to this situation.

Of course there's still the fact that user data was stolen from a dropbox employee. Also, this happened to other providers as well, it just isn't made _that_ public.

If you store private or very important information on any cloud storage, just be sure to add an additional security layer like a truecrypt-container in your dropbox.

No
August 1, 2012

Try cracking a properly bcrypted hash. See you in a few hundred years.

w.h.
August 1, 2012

…and people like you are the reason we are stuck with security from the 1990ies.

Giuliano Ribeiro
August 1, 2012

Security issues again???? I moved to SpiderOAK 2 years ago, since the first dropbox's failures!

Lol
August 1, 2012

same

Zazie Lavender
August 1, 2012

 I myself would love to see this integrated with google authenticator.

Mike Doherty
August 1, 2012

> In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

Um, how do you know if my password is commonly used? Isn't is hashed and salted? Am I misunderstanding something?

LoginRadius
August 2, 2012

Wouldn't that be a better idea to start integrating existing OpenIDs like Facebook, Twitter, Google etc? That will make Dropbox more secure as 

faithfuldropboxuser
August 2, 2012

No system is 100% secure. Im appalled by all of the bashing against Dropbox here.  I guarantee you that whatever service you ditch Dropbox for is just as vulnerable.

StepnSteph
August 2, 2012

 Pitching my support for this. I own two YubiKeys.  Please add support for it, Dropbox.

StepnSteph
August 2, 2012

He's probably speaking from a purely technical, rational perspective.  Or I hope so, anyway.  No single company should be explicitly trusted with information, particularly with secure documents (banking or related spreadsheet data, for instance).

Personally I use GnuPG to encrypt files before placing them into my Dropbox.  Considering the event with this employee's password, my precaution was apparently not a complete waste of time (meaning that it is conceivable that something worse could have happened).

More security always means less convenience, unfortunately.

By the by, I am not intentionally insulting Dropbox nor the employee in this comment.  Stuff happens.  Others can debate the particulars.

BenK
August 2, 2012

Even salted and hashed, they still can take a cracking tool and run it against the password list.  It'll generate possible passwords and then salt/hash those and see if it matches anything in the encrypted list.  Feed it a few dictionaries and some of the online lists of past cracked passwords and it'll probably find many matches without too much time or effort.

Tulio323
August 2, 2012

Utter bullshit — just because Dropbox neither seems to understand the concept of security (or worse, does not care), that does NOT mean that every other competitor is as stupid. Goddamn what a dumb thing to say.

Randy Gonzales
August 2, 2012

@google-07feb1c4a2aaf22752c9924b95db944f:disqus why was the site cert provided/handled by Kitchensink.n0t and later the site certificate was fixed but at an odd date?

Guest
August 2, 2012

 You (apparently) don't understand the “concept” of security either. What's that even supposed to mean?

Asdf
August 2, 2012

That would be dropbox's work. Log-in attempt rate in randomly interval but been trying for 1-2 hours? If it from the same ip, well yeah.. if from multiple ips, .. how could i do that, doh?

Mahbub
August 2, 2012

Clicking “Launch Dropbox Website” from dropbox software directly logs in web without asking password. This is a serious issue. 

Also, a local password for dorpbox software would be a great help.

pip010
August 2, 2012

1- uses HTTP for communication (this is a major one)
2- the data is not crypted
3- obviously as far as Authentication goes there more to be desired :)

enough?

pip010
August 2, 2012

 ”More security always means less convenience, unfortunately.”
I agree, or at least that's the status quo for now. Unless some Einstein of crypto doesn't come along :)
for all but the most trivial scenarios it is always the case of tradeoff between convenience/flexibility and security :( from your school to the biggest corporations .. same.. same.. same..

Saturn
August 2, 2012

How many email addresses were in the “project document”?
Did the “project document” contain other information, too?

Why did the employee store email-addresses in his Dropbox?
Are you going to inform the users whose addresses are leaked?

Richard Colley
August 2, 2012

But Dropbox know the salts.  They must do in order to check your password when you login.  So it's easy for them to do this.

Richard Colley
August 2, 2012

They don't need to store plaintext passwords or use rainbow tables to test password strength.  They already know the salt used for each password.  They can just test against a dictionary of poor passwords.

Listerine
August 2, 2012

 Thanks for the 2-step authenticator.

Ryan
August 2, 2012

In what way are we stuck with security * since * the 90″?
Information system security today is nothing, absolutely nothing, compared to what is it was in the 90″… Seriously, what's your meaning, and what exactly do you do for a living?

Daniel Mendalka
August 2, 2012

Pushing user to change his password is bad idea. If I am “good user” with hard to crack but easy to remember password unique for each site and you make me to change it every month, it will be much more challenging for my brain to remember pattern what password I should use this time.

Jamesrome
August 2, 2012

 Why aren't Dropbox employees using one-time passwords?

guest
August 2, 2012

 Err… why is that a serious issue? If the attacker has control of your computer, they already have everything (including much more powerful information, such as any online banking credentials you have in cookies, for example.)

Felipe Sebastiani
August 2, 2012

Suggest a mechanism to know from which IP numbers have accessed a particular resource or directory DropBox (number of attempts, place or country of origin) together with a notice via email

Glenn Snead
August 2, 2012

If you're going to implement 2-factor authentication, can you integrate it with LastPass and/or Google Authenticator?  SMS is all well and good but that will just prompt the spamers and crackers to send fake SMS authentication messages via a burner phone.

Also, what about encryption?  Stuff happens: certificates are compromised, passwords are written down, passwords are reused, https traffic is intercepted, etc.  

Guest
August 2, 2012

 …https traffic is intercepted? you have a realllllllllly big problem then. No. Dropbox stores files encrypted (although they know the key) and transmits with https. Which means encrypted.

Guest
August 2, 2012

 I suspect the whole point of 2-factor authentication was for dropbox employees to use it themselves. We just get the benefit.

Guest
August 2, 2012

 Because if you didn't get the email, then it didn't affect you in the slightest in any way at all?

Guest
August 2, 2012

 …and they're fixing it… what's there to discuss? “They should fix it.” “Okay, yeah, I agree.”

Nathan Pinkerton
August 2, 2012

I came back to ask about this very thing… this certainly throws a whole new wrinkle into things, and makes me think, more so than before, that there is something dropbox isn't telling us.

Ed
August 3, 2012

Why did I have to read about this via Engadget, rather than receiving an email direct? I was one of those who had received spam to an email alias only used with dropbox – so suffice to say I am sufficiently pi**ed off (particularly given the lack of direct notification) & will never consider paying for a dropbox service as a result.

guest
August 3, 2012

 That's absurd–there was no compromise of your account (they emailed those people). Why in the world do you care if your purportedly unique email receives a bit more spam. Nothing. Happened. To. Your. Files.

Guest
August 3, 2012

 1- ALL Dropbox transmissions are under HTTPS ( https://www.dropbox.com/help/2… )
 2- The data is encrypted with a key dropbox knows (same link, AES 256-bit), presumably because if not, you just can't do things like web preview, sharing, etc.
 3- And they just made a great response saying they're beefing up authentication with 2-factor auth and the new security page.

So basically–you just said two things that are BLATANTLY false, and one gripe that I do agree with.

enough?

Guest
August 3, 2012

 You've logged in to Dropbox. *Before* checking for authentication, they can see if the password matches a list. In plaintext. (which is okay, because they transmit with SSL–can't intercept it) But that doesn't mean anything about how they store passwords, at all.

Also, it's better for them to be cautious and reset these accounts than to, you know, just ignore it and lie about it. They told the truth–why would they post this at all if they were lying??? All they get from this is idiots like you giving them crap for no reason.

Webdesign
August 3, 2012

Hope that never happen again in Future!

Sdas
August 3, 2012

Ah yes….the anon Dropbox employee

pip010
August 3, 2012

 1- Yes my bad, I think at least they used to. But again that doesnt mean there aren't issues: http://paranoia.dubfire.net/20… and http://lifehacker.com/5853483/

2- I was speaking local encryption. But again see the 1st link for are they really encrypting ALL on the cloud?

3- see my 2nd link and HOW pointless is what AUTH you use if you miss on handling cookies right!

enough?

Mapson
August 3, 2012

Strange, a number of us had EuroDice spam to email addressses *exclusively* used with Dropbox but didn't recieve a reset password email from Dropbox.

Is there another, unreported issue, here?

Guest
August 3, 2012

 … read the blog post. One of the accounts that re-used a password was a Dropbox employee who had a list of emails in a document.

Guest
August 3, 2012

 1- That side-channel was disabled. It's like they're responsive to security reports or something. HUH! You can see for yourself if you generate two accounts and try to upload the same file. Then try to upload the file on an account that already has it. You will see that dedup is per-account now.

2- Yes, they are? The dedup doesn't preclude that. You can still dedup, then encrypt (since again, Dropbox knows the key). Now without this side channel it's more secure in terms of leaked information.

3- And the lifehacker link seems irrelevant. Again, they use HTTPS for every connection. If you think they're doing it wrong, then give some proof! Steal a cookie from your account on another computer, then email them about it.

In any case, we've gone from “dropbox has literally no security” to you spewing random attacks against random websites apparently as evidence that dropbox is itself insecure. I don't mind you calling people out, but do your research before. It's just not fair to companies if they're doing the right things and yet you still call them out incorrectly. Bye.

M E Murtag
August 3, 2012

It's called man in the middle attack interception of https traffic

Notoanonymousposts
August 3, 2012

Seems guest is an employee of Dropbox !

Insecure Dropbox
August 3, 2012

Any chance the Dropbox employee can stop posting anonymously. Dropbox unfortunately has had multiple security vulnerabilities and this was just another example of lax security practices employed by Dropbox.

Maninmiddleattack
August 3, 2012

Https can be intercepted its called a man in the middle attack. Whoops the anonymous Dropbox employee who doesn't know about security !

Guest
August 3, 2012

it's more like you have no idea what you're talking about.

 Really?

Hmm…

Dropbox employees are prohibited from viewing the content of files you
store in your Dropbox account, and are only permitted to view file
metadata (e.g., file names and locations). Like most online services,
we have a small number of employees who must be able to access user data
for the reasons stated in our privacy policy (e.g., when legally
required to do so). But that’s the rare exception, not the rule. We
have strict policy and technical access controls that prohibit employee
access except in these rare circumstances. In addition, we employ a
number of physical and electronic security measures to protect user
information from unauthorized access.

https://www.dropbox.com/help/2

Probably because of this:

Dropbox employees are prohibited from viewing the content of files you
store in your Dropbox account, and are only permitted to view file
metadata (e.g., file names and locations).  Like most online services,
we have a small number of employees who must be able to access user data
 for the reasons stated in our privacy policy (e.g., when legally
required to do so).  But that’s the rare exception, not the rule. We
have strict policy and technical access controls that prohibit employee
access except in these rare circumstances. In addition, we employ a
number of physical and electronic security measures to protect user
information from unauthorized access.

https://www.dropbox.com/help/2

Speaking before doing any research just because you read “Google” in there.

Google Authenticator is an open-source code and app.  Go ahead, download it, read it, and tell us if there is anything “evil” in it that shouldn't be there “just because Google made it”.

Don't be quick to dismiss things just because some 'keyword' fired-up a million alarms in your head.  As the age-old saying says, “Don't judge the book by its cover”.

If after everything you are still paranoid.  Then by all means develop a new app since you know it better.  Heck, don't ditch 2FA/TFA because it has nothing to do with Google.  It just so happen that the app and system Google developed is more popular than the other 2FA/TFA software developed by other groups.

 The thing I care most is this:

Dropbox employees are prohibited from viewing the content of files you
store in your Dropbox account, and are only permitted to view file
metadata (e.g., file names and locations).  Like most online services,
we have a small number of employees who must be able to access user data
 for the reasons stated in our privacy policy (e.g., when legally
required to do so).  But that’s the rare exception, not the rule. We
have strict policy and technical access controls that prohibit employee
access except in these rare circumstances. In addition, we employ a
number of physical and electronic security measures to protect user
information from unauthorized access.

https://www.dropbox.com/help/2

They shouldn't be able to read anything at all.

Dropbox employee alert.

It's better to name yourself you know.  Adds credibility than some anonymous posting…

how about offering options?

Yet another user that is quick to judge just because some 'keyword' sounded a million alarms in their heads.

Not because the software developed by Google is called “Google Authenticator” does it mean it is “evil”.  Get real man, DO some research before you open your mouth.  Because you know what?  It only shows how much you do not know a thing about “Google Authenticator”.  Let me help you:

1) It is open-source.  So feel free to download the source code, read it (if you can), and tell the whole world that it is indeed “evil” as you claim it to be because it was developed by “Google”;
2) Since you say “Google” is evil, and anything that they put their hands on or developed is “evil” regardless if it is open-source, then by all means develop your own and share it with us.  Just be sure to make it open-source too so we can check how pure and “good” your code is;
3) 2FA/TFA has nothing to do with Google Authenticator.  It just so happen that the software Google developed (and OPEN-SOURCE) is more popular than their “competitors” in the 2FA/TFA space.

So please, next time, before you spout “if Dropbox gets into bed with … Google that will ensure my departure from this service”, that you did your research first as to the suggestions of the people here re: “Google Authenticator”.  Otherwise, you'll look like… well… I'm sure you know what you look like now.

As for Facebook.  I don't care.

Can't agree more.

It is way much better and positive if they name themselves instead of HIDING under the anonymous banner.

Name = more credibility
Anonymous employee = riiiight, aren't you obvious, why hide?

 Nope, it wasn't.  You understood it correctly.

It's some employee's account elsewhere that was compromised, then luck (or unluck) has it that the infiltrators got hold of a document with a list of emails from select dropbox users stored in that employee's account.

And that's why adding 2FA/TFA is good.  Because it will add an additional layer of security.  If in case someone got hold of your username and password, they still have to enter a randomly-generated-token before they can truly enter your account.

This randomly-generated-token is refreshed every 60 secs (the usual setting).  After that, you can not use it.  (Some services add a grace period of a few seconds before expiring the old one.)

No communication is done in 2FA/TFA.  So MITM attacks is virtually impossible (unless they MITM you during your setup of 2FA/TFA, in which case, they'll see the one time code that will enable syncronization between your app [if you choose an app] and the server – but I haven't heard such a thing yet, it's theoretical raised by a few somewhere).

Darren
August 4, 2012

is there a list of hacked accounts?

Noel
August 4, 2012

Time to go to Spideroak

Guest
August 6, 2012

 Oh, so you mean user stupidity about trusting a cert?

Guest
August 6, 2012

 How does that contradict “encrypted” in any way. Dropbox knows the key. They can encrypt the files. And therefore decrypt them. This isn't a hard concept to understand. Do you complain that Facebook does not store your data with client-side encryption? Google docs? Google mail? Apple's suite of products?

Really?

Hmm…

Mahbub
August 6, 2012

i use dropbox in my office and its not a personal one. so asking for password when launching dropbox website will prevent people to access my dropbox account and make changes.

Dropbox
August 6, 2012

 But his email address was stolen from a Dropbox employee…so I think it's reasonable to say he has a fair point.

Rob
August 6, 2012

 There in lies the problem, you assume users understand how certs work.  A major cert supplier was recently busted for issuiing a cert for * yup I kid you not, it was supplied to a client who wanted to monitor it's employee's access over https.

Just imagine if that had made it to the wild…a trusted root cert with a wild cart certificate issued below it.

BN
August 6, 2012

Time to switch to Wuala!

RM
August 7, 2012

My username/email address (unique to Dropbox) was stolen from the Dropbox account of a Dropbox employee and is now known to spammers and hackers. 

SHAME ON YOU.I submitted a support ticket and received a standard reply that it was being “looked into”. Since then I have heard nothing. Nada. Zilch. Zip. Zero.

SHAME ON YOU.

Dropbox sensibly conducted a security audit and posted the findings here.

OK

Dropbox also introduced an activity log page so we can check for suspicious activity

ABOUT TIME TOO

Dropbox emailed those whose usernames and passwords were breached, or suspected too be.

NATURALLY

But I have had no contact advising me to change my username or how to do this, even though they know it was stolen from the hacked Dropbox account of a Dropbox employee.

SHAME ON YOU

Yet for some reason I am currently still engaging with these numpties at Dropbox

SHAME ON ME

Webdesign
August 7, 2012

 Big thumbs up on Google Authenticator. I'm a big fan and have been using this with great success.

Bowflex
August 7, 2012

 I don't think they know definitively who was spammed.

Used tents
August 7, 2012

 That goes for any cloud based service.

Jimmy
August 10, 2012

This is

Dkdkdk3
August 10, 2012

jkjj

Dhcmiweh
August 10, 2012

Along with an option to send a text message, please include an offline mobile application as well (similar to a bank pin token). Additionally, also give the option to print 5-10 one time codes. Similar to Google. Reasons? Plenty! For instance, I am travelling to another country and my phone number has changed. The offline code generator can be enforced inside the Dropbox application as well. Thank you.

居合
August 16, 2012

Hey, Thanks for posting this. You have made some really interesting point in this article. I like it and I’ll keep coming back. Bye!

Jack Smith
August 17, 2012

Dropbox is taking action, it is good thing.
Users should encrypt his/her data before sending to cloud. Cloud is going to stay.
Let us find a secure way to use it.

Fastidious replies in return of this matter with real arguments and telling the
whole thing on the topic of that.

Alex
August 20, 2012

A few weeks have passed. Any update on two-factor authentication?

India Study Zone
August 20, 2012

Can any one tell me about drop box.. Is there any use for me, using drop box.. I have website http://www.indiastudyzone.com/ .. for what purpose i can use

Lincoln Cardenas
August 27, 2012

I am travelling to another country and my phone number has changed. The
offline code generator can be enforced inside the Dropbox application
as well. Thank you.

Marcin
August 27, 2012

Just curious to know when will this security feature be rolled out to Canadian users. I still do not see this enabled for my account.

Ryan Goldstein
August 27, 2012

Go to this link – http://www.dropbox.com/try_twofactor – then you should see the option at the bottom of the page, in the ‘Account sign in’ section.

Dito
August 27, 2012

box.net sucks! there are 3 tiers of accounts and you are really limited, big not giving good features on their 2 “light” tiers, you kind of have to buy the 3rd tier and you ONLY have 14 days to test it and pay 1 year in advance (reallly!?!?) and you can fight how long you want to get money back (even if one of their product page says up to 80 days!!), selective sync is not a Box option (good luck to you if you have big subfolders or organizing your folders using just root folders!!!), dropbox is great, and you should really like this option (read well my word, option! not forced, but optional) because unless you are happy with pubblicity, you don’t want your stuff unsecured out there….

F O_s
September 2, 2012

  Sign up for free! http://db.tt/bkHN8Tpy and get extra 500MB

Dominique Paulson
September 13, 2012

I am travelling to another country and my phone number has changed.

Bo Schaefer
September 15, 2012

Keeping Dropbox secure is at the heart of what we do, and we’re
taking steps to improve the safety of your Dropbox even if your password
is stolen, including:

http://www.studiodrumsnow.com/

harshita317
September 19, 2012

i liked this post……………………www.deshmeaaj.com

guenther
September 19, 2012

I can’t understand two-step verification, for me it doesn`t work: if you are in the dropbox folder on your pc -right-click function .. you can share folders without any “two-step verification”, you´re automatically logged in in this account, see all data, can make changes in … only if you start a browser for yourself .. than you are asked? .. the design of this function shoul be: if two-step verification is activated, EVERY SIGN IN for changes must verfiy first trough the “two-step verification ” and even you start it inside the dropbox client.

Andrew
October 2, 2012

Well and good, but 2 factor should be applied to the “launch Dropbox website” link in the system tray.  OK someone with access to that has got access to all your files anyway, but they should not have access to your settings (or to share a folder without your knowledge for example).  Simple damage limitation really.  If you are tough on security you need to make very option available to lock it down.

On my wish list would be client side encryption like Spideroak (zero knowledge policy) – why am I not using Spideroak?  Because it is slowwwww (not explained by encryption as whether this is client or server side it should be the same).

Dropbox has the lead, I have returned from using Google Drive (ludicrously requires you to re-download every single file even if it is 100 Gb if you have to re sign in, as it flops over frequently this is a BIG problem), but Dropbox has to increase it’s security, we need to be able to lock it down tight.  Things I worry about are Dropbox integration in many phone apps (who is controlling those), click the link to log in even if 2 factor is enabled, and web access.  Admittedly the competitors have these issues as well, but what I want is a sync solution that has no web access (other than an admin panel perhaps), and requires additional security beyond a password.

Angle
October 4, 2012

Our investigation found that usernames and passwords recently stolen
from other websites were used to sign in to a small number of Dropbox
accounts. We’ve contacted these users and have helped them protect their
accounts.
 

Ronan
October 7, 2012

We feel that somebody has logged onto our account. Is there no number for us to contact. We contacted Dropbox four days ago now and still no word. Can we talk to a person on this??

subhashis
October 9, 2012

If you really wanna crack the entrance exam just go through http://www.entranceindia.com/ …….

slice
October 20, 2012

A great product.
Choosing workable passwords,and remembering them is still a trick that I wish I could master.
Some days I am there wile somedays I am not.
But all we can do is try.
AN excellent network,and will use it for notes from our facebook page and our website.
http://navoices.com/
Great network!

manesh sonah
November 9, 2012

Yeah I do think there’s a major security issue about that. For sure their program analyses readable passwords from their database. Then it may not be encrypted? I have sensible documents on (http://www.norgilcanada.com) Dropbox and afraid my access might be out of my hands.
John at http://www.serpsite.com

Norman Haga
March 30, 2013

Norman Haga…

I was pretty pleased to find this web site. I need to to thank you for your time for this wonderful read!! I definitely enjoyed every part of it and i also have you book marked to check out new stuff in your web site….

[…] to spammers, company blames 2012 security breach (註二)Dropbox employee response (註三)Security update & new features (註四)Why was my email […]

[…] Now quite some time ago, and I could have written about this before, I started receiving proper spam emails at “myname-dropbox@mydomain.com”. Now that is rather strange. So I contact Dropbox and they admitted they had had a security breach in which many email addresses had been harvested. They pointed me to a post on their site explaining about it. […]