July 31, 2012

Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they’d created specifically for use at Dropbox. Today, the company confirmed that suspicion, blaming the incident on a Dropbox employee who had re-used his or her Dropbox password at another site that got hacked.

In a statement released on its blog this evening, DropBox’s Aditya Agarwal wrote:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

A Dropbox spokeswoman said the company is not ready to disclose just how many user account credentials may have been compromised by this password oops, noting that the investigation is still ongoing.

The company says it has plans to roll out additional security measures that should help users protect their Dropbox accounts even if users (or employees, assumedly) lose account passwords, including two-factor authentication (Dropbox says this will be coming “in a few weeks”), and new automated mechanisms to help identity suspicious activity, as well as a page that lets users examine all active logins.

Password re-use is a major no-no for important services. For more tips on how to pick decent passwords and avoid these problems, see this primer.

19 thoughts on “Dropbox: Password Breach Led to Spam

  1. Rick Zeman

    I still don’t trust cloud-based services enough to protect me and my interests. That’s why the only confidential data that I place on Dropbox (and others) is encrypted by me first. Makes access a bit less convenient for me, but makes access a LOT more inconvenient to someone else. I’m sure the NSA can break the AES-256…but they probably know what’s in there anyway. 🙁

  2. Bill

    Eventually, companies that do not provide strong data encryption with passwords controlled by the user, will go out of business. Users will migrate toward companies that offer full user control of encryption, with no possible decryption by the company. It’s also a desirable (essential?) feature, if you don’t want the govt potentially reading your data.

      1. Richard Steven Hack

        SpiderOak claims to… From a press release:

        “SpiderOak has had a consumer cloud storage service — SpiderOak Orange — since 2006 that allows consumers to back up, share and sync their data. SpiderOak’s claim to differentiation is its “zero-knowledge” privacy standard, which allows users to create their own passwords so that the SaaS provider couldn’t read a customer’s unencrypted data even if it wanted to.

        However, SpiderOak CEO Ethan Oberman pointed out that if a SaaS provider allows users to reset passwords, then it basically negates the security. “Anyone who can allow you to reset a password can get access to that password,” he said.

        Its new SpiderOak Blue business-class cloud places the ability to manage and reset passwords in the hands of a user company’s IT administrators.

        SpiderOak Blue offers a virtual appliance that places all management control into an open-source virtual machine that runs on a user company’s internal infrastructure. That enables full control of all data flowing in and out of an organization through SpiderOak. ”

        Wikipedia has a comparison matrix, which includes listing those which do “Personal encryption” – where the keys are held client-side. Note that most of the services provided don’t allow this.


  3. Scott S

    I wonder if they realise that due to the drop box interface software that a user needs to download on to their computer a hacker would have more serious interests in mind than a few email addresses.

  4. Jocelyn

    Am I the only one shocked by the combination of the following?

    – Employee using his “corporate” password on other sites (awareness?)
    – Internal project documents on Dropbox public service (I know, eat your own dog food, but still)
    – Customer email addresses (and maybe more) in a project document

    That last one takes the cake. As long as companies continue to grant access to and disseminate data this way (versus using anonymized or test data in test/dev) there is little hope getting infosec right…

    Anyway this conforts me in not putting anything of value in my Dropbox.

  5. Liam

    I know I have reused my Dropbox password with other services, and I would like to change that as my accounts with those other services are now not secure.

    But my problem is that I do not have a list of all of the services that I have signed up to. Sure, I remember many of them, but not all. Is there any way of finding them all?

    1. JohnP

      You really need to start using a password manager. There are lots of other reasons for this, but just having a list of accounts “somewhere” will be helpful to your specific issue.
      * Nobody can remember services they signed up for once, last year or 5 yrs ago. You aren’t alone.
      * Use different email addresses for different types of accounts. Most sensitive accounts get your real, main, email address. Blogs get a spammy email address. Your ISP probably will give you 5 aliases.
      * Use different randomly created passwords for every site. Forget the days of 3 levels of passwords, since the difficulty in changing other passwords after a breach (20 or so?) is greater than having unique random passphrases for all of them.
      * A password manager makes all these things easy. I haven’t typed in any passwords in 2 yrs except the main 3 (home PC login, work PC login, complex passphrase to the password manager). Every website, even the blog that I run has a 30-60 character random password that I don’t know. I know I don’t know them.
      * All your passphrases can be long and hard, privided the service provider isn’t stupid … like most banks. Limiting the length of a password is stupid these days, yet every legacy bank I know still limits them to less than 12 characters. 12 character passwords can be brute force cracked in 24 hours using GPU cracking tools.

      Until you get an email from those unknown services, you are stuck trying to remember userids and URLs. Lots of people have that issue. I did a few yrs ago just like you.

      Go get KeePass v1.x as a portable app. Start entering all your credentials into it. Stay with the v1 DB since it is the most cross-platform. Setup a daily job to backup the DB to at least 3 different places. Make certain the passphrase needed to access this DB is 20+ characters, complex, and doesn’t use any dictionary words, doesn’t capitolize at the beginning or end, and uses punctuation in the middle of words with numbers in the middle too. Don’t use L33T either. Since you will need the password for this DB to last, never share it with anyone. It is the keys to your universe, after all.

      If the DB ever gets found by anyone else, the encryption needs to be strong enough to make it reasonably impossible for them to break using brute force or guessing for the next 30-60 years. I suspect you won’t be changing every website password annually, unless forced to do so.

      Using an Office-document or text file with all your userids and passwords is not the best choice. It is insecure AND inconvenient. A good password manager will make life easier. I’m serious. No need to pay for a commercial product either. The GPL licensed, F/LOSS tools are excellent and available on most platforms. Get one and try it for a week.

  6. Roberto

    Well, we had some discussions about Dropbox security measures moths ago on their own forum. Arash, the co-founder, did not show a lot of interest in most of the suggestions made by users. Instead, every security issue that was discussed was being marginalized. I hope they listen & learn by now.

  7. Mike

    >But my problem is that I do not have a list of all of the >services that I have signed up to. Sure, I remember >many of them, but not all. Is there any way of finding >them all?

    Nearly all of them sent a confirming email…check your email folders, incoming or sent.

  8. JohnP

    We’ve said this lots of times, but it bares being repeated.

    If the company isn’t charging money for most of their services and their profit model isn’t extremely well established, then you are the product. If you are paying for a service, there is a higher expectation of professional standards and you’ll be more likely to win a lawsuit. If you aren’t paying … well, you get what you pay for …. eventually. Hopefully that doesn’t happen after some breach.

    I am not a user of any cloud services besides websites. No cloud storage, it is too easy to handle this myself to bother with a service that I have to trust. I looked at creating a service a few years ago and decided it couldn’t be profitable without charging money every month and lots of VC backing for over a year to build clients with givaways. Dropbox is in a tough business.

    I do pay for a single website to help track my investments and better my ability to get good returns. That site makes me money for their modest annual price. They do more than provide data or news, they provide data analysis on thousands of stocks. Because I am paying, I feel the need to protect my credentials and the site has always had a unique email and random passphrase used nowhere else.

    People with elevated access to IT systems need to do this with every account they have. They should know better, especially with 3rd party websites. Further, if the company isn’t forcing their internal passwords to be changed every 3 months to fight exactly this issue, they are crazy.

    1. d

      First, let me publicly lament the demise of iDisk. I signed up for .Mac in 2005 for its back up purposes and found iDisk a lifesaver.

      While I understand your sentiment, in my experience, any way you can backup could be a potential godsend. In 2010, my home was broken into, and it appears the crooks were after one thing: my digital life. Not only did they take my computer, external hard drives, and a safe, they left a brand new TV and other electronics behind. (Government spies, maybe.)

      Since, I signed up for .Mac, which became MobileMe, I still simply downloaded some of the more precious items. While that was good, I still lost some very important digital documents. Unlike most people, I use a cloud for storage, not to share photos or documents. Hence, I do not want a folder sitting on my computer with access to my stored files. I only wish more of the cloud companies thought this way or at least offered different versions of their products. (The best products I found, with great encryption and such, need Java for some reason, which I choose not to install.)

      I realize there are some people new to KrebsonSecurity, but maybe only Brian can change some people’s minds about using the same password for everything. Or it might take another breach…

  9. Rob Sobers

    “We’ve contacted these users and have helped them protect their accounts.”

    Given Dropbox’s poor track record when it comes to security, I was floored by this statement. They are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven’t been breached (yet)?

    LinkedIn made the same mistake a few months ago—they only reset the passwords for the accounts they believed to be affected. What did they base this on? The list of hashes that were published BY THE HACKERS?

    I also find it extremely unsettling that a Dropbox employee was storing customer information in their own Dropbox account. Stunned.

    More reactions here, if you’re interested: http://blog.varonis.com/dropbox-please-reset-everyones-password/

  10. Richard Steven Hack

    The amusing thing for me is that the only file I’ve stored (so far) in DropBox is…a PDF containing all my accounts and passwords…most of which are reusing several different passwords.

    At some point I’ll probably switch to a password manager – but I have a hard time trusting any software over my own head, even with backups of the PM DB.

    In any event, I don’t have anything terribly needing protection – other than my main machine and my bank account, of course. Sure, you can do some damage if you know someone’s social media accounts, etc. – but basically I’m so low on the totem pole even that wouldn’t do me much harm (short of storing kiddie porn in my accounts, presumably.)

    Still, it’s time to clean up my act, laziness or not. It would be embarrassing as an IT security pro to be lumped in with all the OTHER IT security pros who have been owned… 🙂

  11. Scott S

    Gosh, Steven Hack, I would be so much more careful than providing all the clues you have just done in your post. You have even made reference to your bank account.
    The point being to not forget that fora such as this one would most definitely be monitored by those with malicious intent. and with IP logging and a bit of nouse could very seriously compromise your situation even further, esp now that Drop box has been compromised.
    I know this may sound extreme but the only “pseudo safe place” for sensitive infromation is in your “wallet” chained to your belt and not digitally accessable

      1. Richard Steven Hack

        Well, you’re right to some extent. I shouldn’t mention some things. But I doubt whatever I’ve said here would be enough to breach my systems. But I do need to up my game in that respect. Since I’m transitioning to doing more security work, I should make sure my systems and accounts are more hardened than the average user before some hacker decides to test me.

  12. certdoctor

    BK, Love to hear a follow-up about this. Was watching TWiT an Leo Laporte said his password was reset an it was a wicked strong password… So what procedure did they use to reset some accounts? On the one hand its a matter of prudence which I respect but on the other Leo uses some of those as Business accounts an so it becomes a DoS issue… Delicate balance.

Comments are closed.