10:47 AM

Dropbox Admits Hack, Adds More Security Features

Flood of email spam blamed on attacker grabbing an internal document containing users' email addresses.

Dropbox Tuesday confirmed that its users have been experiencing a spam onslaught, and pointed the finger at any unlikely source: an internal employee.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

The Dropbox spam investigation began two weeks ago, after users began reporting spam attacks against email addresses that they used only for the service.

[ Security officials are using data analysis tools to combat cybercrime at the London Olympics. Read about it here: Olympics Tap Big Data To Enhance Security. ]

But many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said Agarwal. "We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

But do those fixes--and related explanations--go far enough? "For me, there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a 'project document' --why? Shouldn't they be using dummy data?" said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised. It is not specified which services they refer to, but again, why?" Ferguson also criticized Dropbox's use of email--without first publicizing the breach--to inform affected users that their password may have been compromised, and for including "reset your password" links in those emails, thus making them virtually indistinguishable from the spam and phishing attacks that currently flood people's in-boxes. "This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a website to enter any kind of credentials," he said.

What could Dropbox have done better? "Instead of [sending] a password reset link, they should direct users to browse to the corporate homepage and follow the information there."

As the Dropbox breach illustrates, password reuse continues to be a prevalent security challenge. It works like this: Attackers breach a website such as LinkedIn or eHarmony, steal usernames--or emails--plus passwords, then use those to try and log into other services. Should such log-ins be successful, attackers harvest personal data, contact lists, try an "urgent request from a friend" scam, or use the compromised account to launch large volumes of spam emails.

The easiest way to stop password-reuse attacks is to stop reusing passwords. But according to an online password survey of 250 people recently conducted by software vendor mSeven Software, 76% of users rely solely on their memory--versus writing passwords down, entering them in a computer file, or using a password manager. In addition, 48% of respondents said they maintain just four passwords--or fewer--for any website they use that requires a password, even though 75% of people said they use at least 10 sites that require passwords.

In other words, most people don't seem to bother varying their passwords across different websites. As a result, when attackers obtain one password, they can use it to unlock that person's account on numerous other websites. "The Dropbox incident underlines the necessity of having different passwords for every website," said Graham Cluley, senior technology consultant at Sophos, via email. "As people pile more confidential information onto the Web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."

Of course, even without password reuse, no cloud service is impenetrable. "If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," Cluley said. "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
8/1/2012 | 7:00:53 PM
re: Dropbox Admits Hack, Adds More Security Features
After last yearGÇÖs embarrassing data breaches, Dropbox promised to implement additional safeguards GÇ£to prevent this from happening again.GÇ¥ Whoops, it just happened again.

here are my thoughtsGǪ

Read more at http://macdailynews.com/2012/0...
User Rank: Apprentice
8/2/2012 | 9:39:37 AM
re: Dropbox Admits Hack, Adds More Security Features
Well sorry but I've had enough with Drpbox.. I decided changing of online backup solution. Surfing the net I found something called "Bajoo" and read everything about what they do. I'm really interested cause they have, like, everything! encryption, secret pass phrase, etc... I'm considering it.
User Rank: Apprentice
8/2/2012 | 2:54:57 PM
re: Dropbox Admits Hack, Adds More Security Features
What methods/software are available to encrypt data at the PC level ? How would we recover the encryption for all the encrypted files stored on the cloud in the event of a PC crash & rebuild ??
User Rank: Apprentice
5/24/2014 | 11:41:00 PM
Fine for personal pictures
Dropbox is fine for casual things such as personal pictures, but not senstive business or customer data. For that I use CertainSafe, the only file sharing service with MicroTokenization, which breaks a file up and encrypts the pieces. Almost unhackable.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio