DropBox CEO: Lone hacker downloaded data from 'fewer than a hundred' accounts

DropBox CEO: Lone hacker downloaded data from 'fewer than a hundred' accounts

Summary: In a personal apology letter DropBox CEO Drew Houston claims that a single individual accessed fewer than a hundred accounts during last Monday's breach.


A user victimized by last Monday's security lapse at DropBox sent me this personal apology letter from CEO Drew Houston.

My tipster now only uses DropBox in conjuction with TrueCrypt as a result of the breach. They also mentioned that the promised credit monitoring still hasn't been delivered and that a class action lawsuit is gaining momentum.

Earlier this week, we wrote to tell you about a security lapse at Dropbox.  Today I am writing to tell you something I never expected to tell a customer.  During our forensic analysis, we discovered that an extremely small number of accounts, including yours, were subject to some suspicious activity.

Our investigation revealed that at around 11:25 PM UTC (Coordinated Universal Time) on June 19, 2011 someone logged into your account.  It is likely that your account was compromised by a third party.  According to our records, neither your account settings nor files were modified, but data was downloaded from your Dropbox account.  It is important that you immediately take the following steps:

* If you had sensitive, personal, or financial information in your Dropbox or in the names of the files in your Dropbox account (for example, credit card numbers, bank account information, social security numbers) you should monitor your credit for any suspicious activity.  You can learn more about identity theft at the FTC's Identity Theft Site http://www.ftc.gov/bcp/edu/microsites/idtheft/ .

* We have made arrangements for you to have free access to a credit monitoring service.  Please email us at support@dropbox.com if you would like to use this program.  You may also want to consider canceling any credit cards whose information was located in the folders listed above.

* If you stored passwords in your Dropbox, please make sure to change those passwords as soon as possible.

* Again, we urge you to review your account for any unauthorized activity and inform us immediately about your concerns.

As we mentioned earlier, the security lapse occurred during a code update that introduced a bug affecting our authentication mechanism.   We will continue our investigations, but as best as we can tell right now, a single individual took advantage of the lapse to access fewer than a hundred accounts.  Our team has been working around the clock to understand what happened and to make sure that it never happens again.

I cannot express how deeply sorry I am.  Dropbox is my life, and I know that we are only as good as the trust we have built with our customers. This should not have happened, and I am hopeful that you will give us the chance to make this right and regain your trust.

I am here and ready to answer your questions and do whatever I can to help.  Please do not hesitate to call me at (deleted).  Or if you'd like me to call you just reply with your phone number and I'll give you a call.

Topics: Government US, Banking, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hackers Suck.

    Man. Hackers really suck. It seems like it's getting worse and worse lately. I guess with the lack of jobs, people are just sitting at home creating problems for everyone else. Idle hands...

    Maybe if they'd start punishing convicted hackers by, oh, I don't know, cutting their fingers off, people would knock it off. But instead they get 18 months in jail and restricted from the library. Idiots.

    This stuff is ridiculous and companies need to spend how ever much money it takes to keep them out and track down and disarm any that get in.
  • RE: DropBox CEO: Lone hacker downloaded data from 'fewer than a hundred' accounts

    There is no way to secure an online system. Period. So where do we go from here?
  • RE: DropBox CEO: Lone hacker downloaded data from 'fewer than a hundred' accounts

    Dropbox has changed its policy such that you should never, *ever* put up art, articles, manuscripts, or anything else that is or might be copyrighted.

    " . . . By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service."
  • RE: DropBox CEO: Lone hacker downloaded data from 'fewer than a hundred' accounts

    Hacker is a problem with many people! I also got some problems few days ago with my <a rel="dofollow" href="http://www.vietnamtravelforum.org">Travel Forum</a>. But now they have gone!