Posts Tagged: Dropbox

Jun 16

Dropbox Smeared in Week of Megabreaches

Last week, LifeLock and several other identity theft protection firms erroneously alerted their customers to a breach at cloud storage giant — an incident that reportedly exposed some 73 million usernames and passwords. The only problem with that notification was that Dropbox didn’t have a breach; the data appears instead to have come from another breach revealed this week at social network Tumblr.

Today’s post examines some of the missteps that preceded this embarrassing and potentially brand-damaging “oops.” We’ll also explore the limits of automated threat intelligence gathering in an era of megabreaches like the ones revealed over the past week that exposed more than a half billion usernames and passwords stolen from Tumblr, MySpace and LinkedIn.

The credentials leaked in connection with breaches at those social networking sites were stolen years ago, but the full extent of the intrusions only became clear recently — when several huge archives of email addresses and hashed passwords from each service were posted to the dark web and to file-sharing sites.

Last week, a reader referred me to a post by a guy named Andrew on the help forum. Andrew said he’d just received alerts blasted out by two different credit monitoring firms that his dropbox credentials had been compromised and were found online (see screenshot below).

A user on the dropbox forum complains of receiving alerts from separate companies warning of a huge password breach at

A user on the dropbox forum complains of receiving alerts from separate companies warning of a huge password breach at

Here’s what LifeLock sent out on May 23, 2016 to many customers who pay for the company’s credential recovery services:

Alert Date: 05-23-2016
Alert Type: Monitoring
Alert Category: Internet-Black Market Website
**Member has received a File Sharing Network alert Email: *****
Password: ****************************************
Where your data was found: social media
Type of Compromise: breach
Breached Sector: business
Breached Site:
Breached Record Count: 73361477
Password Status: hashed
Severity: red|email,password

LifeLock said it got the alert data via an information sharing agreement with a third party threat intelligence service, but it declined to name the service that sent the false positive alert.

“We can confirm that we recently notified a small segment of LifeLock members that a version of their credentials were detected on the internet,” LifeLock said in a written statement provided to KrebsOnSecurity. “When we are notified about this type of information from a partner, it is usually a “list” that is being given away, traded or sold on the dark web. The safety and security of our members’ data is our highest priority. We are continuing to monitor for any activity within our source network. At this time, we recommend that these LifeLock members change their Dropbox password(s) as a precautionary measure.”

Dropbox says it didn’t have a breach, and if it had the company would be seeing huge amounts of account checking activity and other oddities going on right now. And that’s just not happening, they say.

“We have learned that LifeLock and are reporting that Dropbox account details of some of their customers are potentially compromised,” said Patrick Heim, head of trust and security at Dropbox. “An initial investigation into these reports has found no evidence of Dropbox accounts being impacted. We’re continuing to look into this issue and will update our users if we find evidence that Dropbox accounts have been impacted.” Continue reading →

Aug 12

Dropbox Now Offers Two-Step Authentication

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee’s account exposed many Dropbox user email addresses.

Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the “Security” tab. Under account sign in, click the link next to “Two-step verification.” You’ll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm.

If you’re already familiar with the Google Authenticator app for Gmail’s two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted,  open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you’re done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Continue reading →

Jul 12

Dropbox: Password Breach Led to Spam

Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they’d created specifically for use at Dropbox. Today, the company confirmed that suspicion, blaming the incident on a Dropbox employee who had re-used his or her Dropbox password at another site that got hacked.

In a statement released on its blog this evening, DropBox’s Aditya Agarwal wrote:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

A Dropbox spokeswoman said the company is not ready to disclose just how many user account credentials may have been compromised by this password oops, noting that the investigation is still ongoing.

Continue reading →

Jul 12

Spammers Target Dropbox Users

“Always have your stuff when you need it with Dropbox.” That’s the marketing line for the online file storage service, but today users have had difficulty logging into the service. The outages came amid reports that many European Dropbox users were being blasted with spam for online casinos, suggesting some kind of leak of Dropbox user email addresses.

The trouble began earlier today, when users on the Dropbox support forums began complaining of suddenly receiving spam at email addresses they’d created specifically for use with Dropbox. Various users in Germany, the Netherlands and United Kingdom reported receiving junk email touting online gambling sites.

Dropbox did not respond to emails seeking comment, but a forum user who self-identified as a company employee said Dropbox was investigating the reports.

At around 3 p.m. ET, the company’s service went down in a rare outage, blocking users from logging into and accessing their files and displaying an error message on I will update this post in the event that the company responds to my requests or provides some explanation of what caused today’s outage and the spam.

The outage and strange spam runs follow a week of high profile password and data breaches. Yahoo! acknowledged that more than 400,000 user names and passwords to Yahoo and other companies were stolen last Wednesday. Formspring, a social question-and-answer site, reset all user passwords after it discovered that approximately 420,000 password hashes from its servers had been posted to an online forum last Monday. and Billabong International also disclosed password breaches last week.

Continue reading →