Dropbox gets hacked ... again

Dropbox gets hacked ... again

Summary: After last year's embarrassing data breaches, Dropbox promised to implement additional safeguards 'to prevent this from happening again.' Whoops, it just happened again.

TOPICS: Security

Running a secure online service is hard work. It costs money and it requires nonstop vigilance.

It’s the kind of work that gets tested regularly. How a company responds to security challenges defines the difference between earnest startups and companies that deserve to graduate to the big time.

Dropbox just failed that test.

Several weeks ago, Dropbox announced it was investigating some suspicious incidents on its network. The online storage company, which has been a phenomenal success among consumers and small businesses, said it had “brought in a team of outside experts” to investigate the incidents.

And today the other shoe dropped. In a post on the Dropbox blog, VP of Engineering Aditya Agarwal acknowledged that the worst-case scenario had occurred:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen…

Those are reassuring words. They would inspire more confidence if they didn’t echo Dropbox’s equally confident reassurances the last time the company suffered a potential security breach.

Let’s flash back to July 2011, when Dropbox sheepishly admitted that it had inadvertently published code on its website that allowed anyone to sign in to any Dropbox account without credentials:

In a blog post, Dropbox CTO Arash Ferdowsi confirmed that the problem occurred and blamed it on “a code update … that introduced a bug affecting our authentication mechanism.”

Dropbox claims the outage lasted nearly four hours. A letter from the CEO to an affected customer confirms that user accounts were accessed during that outage:

Earlier this week, we wrote to tell you about a security lapse at Dropbox. Today I am writing to tell you something I never expected to tell a customer. During our forensic analysis, we discovered that an extremely small number of accounts, including yours, were subject to some suspicious activity.

Our investigation revealed that at around 11:25 PM UTC (Coordinated Universal Time) on June 19, 2011 someone logged into your account. It is likely that your account was compromised by a third party. According to our records, neither your account settings nor files were modified, but data was downloaded from your Dropbox account.

Ferdowsi acknowledged, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” An update to his blog post adds the detail that “fewer than a hundred” Dropbox users were affected.

At the time, I said, “At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.” That obviously never happened.

Dropbox has built up an enormous reservoir of goodwill in its large and loyal user base. It is squandering that goodwill at a record pace.

Maybe it’s time for the company’s investors to turn it over to someone big enough to take security seriously.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Did they....

    ...Hire former Sony employees? :(
    The one and only, Cylon Centurion
  • C'Mon

    You have to be fair. This was NOT a breach of drop-box. It was people stupidly using usernames and passwords on multiple sites. Not smart, but not exactly uncommon these days.
    • Ahem...

      They needed outside help to figure out that "a stolen password was also used to access an employee Dropbox account"?

      Ed Bott
      • Yes, dropbox is not 5000 lines of code...

        Not sure if you are a programmer, have ever been one, or even understand how it works. When you deal with huge amounts of code there will always be security holes. This time it was not even their own security hole, nor could they catch it. Should they be monitoring the IP's that login to all accounts an flip out if it all of a sudden comes from a different country? There goes traveling and using your dropbox. Security always causes usability and ease of use to go down, it's all about finding the right line.

        It was not like the hacker used the password to access some ultra high security area that was separate from the general users.

        The hacker accessed an employees dropbox, most likely dropbox is taking the high road here and not pointing fingers at the employee or even the position of the person that it was accessed. What if it was a marketing intern who copied it over to do some work at home and forgot that they did? Was the list 6 months old? 2 years old? It does not say. This time you had a company be proactive about the issue, brought in outside help to do an audit and located the issue. It happens, get over it. Should we stop using MS because they have a vuln pretty much weekly? How about linux because there have been root security holes that have been reviewed by thousands of people over the years and missed? How about Apple, well actually boycott apple, their corp policy sucks and they refuse to acknowledge security vulnerabilities.

        Here you are seeing a small company blossom and they are doing it quickly. Policies need to be put in place and they are being done. Anyone that has ever had to deal with actually writing the policies, getting em approved by management, getting them through legal, and then getting them followed knows that this can takes many months to years to get done. In the scheme of things, this sucks, but its really not even news worthy unless you have nothing else to write about.

        Oh and as for me being a dropbox fanboy, not even a chance. I used it for about 2 months years ago and realized I have no real need for it. I also know that anytime you host stuff in the 'cloud' you have to expect there to be 0 security for it unless you host the cloud yourself.
        • Verification on new computers

          I don't think it would be that big of a deal for dropbox to have some sort of verification required (through email or something) when you log on from a new computer. This would make it much harder to hack into an account as you'd have to also hack the email at the same time. There's some online based games that do this and it's not a huge hassle (blizzard/battle.net comes to mind).

          Cloud storage security should one of their main concerns, especially dropbox because it's their main business. I would still be extremely upset if my account was hacked and files were stolen (although I doubt I have much that all but a select few would want to steal stored on dropbox).
          Sam Wagner
          • The Skydrive way

            Exactly what Skydrive does. Tried to access my wifes skydrive (to help her look for a file) from work. I got a security question immediately which told me they offered to send me a sms message with a one-time code. That's the way to do it :-)

            Would never ever use Dropbox, Just don't trust them anymore.
          • Yet you trust skydrive?

            Really with all the actual MS security breaches / hacks / etc you trust them over dropbox? This was not even a hack... It was a list of email addresses that got located in a place it should not have been...
          • 2 Auth is a good idea

            I completely agree with having double authentication, however it should only be an option.

            The main difference is what Ed would like you to believe, that dropbox was hacked, is factually incorrect. A single file was downloaded from a single user (that happened to be an employee).

            Should they require the double auth even for you to view it from the website? If so you have to double auth everytime you clear your cookies. This does not seem like the actually had downloaded the files via the client, just that a single file was downloaded which more likely than not would have been through the webclient.
        • Dropbox security

          No matter how you defend it...

          Dropbox - 2 security breaches during one year
          SKydrive - 0 security breaches during 6 years

          You choose...
          • Bingo

            When you criticize the big boys, be prepared to scope and critique the little juniors too. Scaled appropriately, in the name of fairness (and funding).

            But online security is NOT an option, or free ticket to corner cut. Nor is putting profits before battening down the hatches. Dropbox needs to give itself a swift kick in the ass, or others will do it for them. Gladly.
      • Ahem indeed

        One notes that you were as silent as the grave over Microsoft's certificate fiasco.
        • One is not very observant

          As I pointed out to you the last time you raised this nonsense, our Security blog was all over it. Yes, we have multiple contributors here.
          Ed Bott
          • So?

            You frequently comment on stuff that is "sensational" that numerous other bloggers have covered. So that argument is a non-starter.

            Also, you claim to be a security expert and are silent as the grave when there are flaws by a "certain vendor" of software.

            Lastly, your defensiveness is highly amusing.
      • People reuse passwords across sites

        I can certainly fathom dropbox hiring an outside firm when 1) they are being accused of being used to spam their users with the allegations seemingly credible and 2) they cannot see any sign of breach on their services.

        It makes totally sense that a limited, illegitimate use of valid credentials does not raise alarms at dropbox. You do not need much spam to cause a stir, but you do need a lot of such traffic to be able to distinguish it from legitimate traffic or even single incidents of users passwords being breached by their own carelessness.

        How exactly is dropbox to protect against users using the same passwords across sites and the passwords being breached on another site?

        I'm with those that believe that it is a little unfair to dump this on dropbox.
        • Credentials are going to be reused across sites

          Knowing that will unlikely change, there needs to be an improvement across the board for more advanced authentication schemes. Dropbox is just the latest tip of the iceberg, and they're no worse than plenty of others. But therein lies the scope of the problem. Less and less is now deemed "secure" as things "progress" ever forward on the WWW.

          Something's gotta give, and soon, or we'll all become inevitable (inexorable) pawnage. Maybe it's time to mass adopt the measures the banking houses* have employed, to at least some degree of success. And even within that more in-depth framework, there's room for improvement.

          [* Doesn't prevent the brass monkeys in the towers from pilfering their customers from within, but it's getting tougher to breach their cribs from outside their moats.]
      • Next news we read: ZDNET was hacked...

        Then, it turns out someone stole Ed's account from some other site and it so happened Ed uses the same password on ZDNET to publish this blog.

        Bzzzztttt? :)
      • Yes, they were right to bring in outsiders

        As others have mentioned, they were being accused of spamming. Obviously they needed outside, independent investigators.

        But more importantly, cases were customer accounts are being accessed because those customers are reusing passwords requires a deep look outside of Dropbox. The investigator basically needs to infiltrate the world of stolen login credentials. I have no idea of the numbers, but I very strongly suspect that the for every case like Sony or LinkedIn where the breach and data were made public, there are many times more that are not made public.

        So an investigator needs to find out what usernames and passwords have been discovered through breaches at other sites. That involves getting a hold of data that tends to be bought and sold among the criminals, or asking for help from someone who already has access to that.

        I hope you realize that you (Ed Blott) are shooting yourself in the foot with articles and comments like this. You cry wolf and display a deep failure to understand how password security works (or fails to work). When you do report on real security problems, I'm not sure that anyone in the business will actually believe you.

    • You are wrong.

      I have never used the same password twice on two systems. Yet I was informed by Dropbox that my account was compromised and they changed my password. I got the same admonition about "hey stupid, this is your fault since you used the same password on more than one system". That appears to be a cover-up to blame the victims in this case. There is a real problem with Dropbox security and they appear to have no idea what it is and are just covering it up.
  • Still Being Unfair

    If there was a possibility of it being an inside job, a third party audit would be the thing to do.
  • sadly....

    Most people won't care enough to remove their account. Account security these days is like major automobile accidents, no one thinks it will happen to them, and then we all become reactive instead of being proactive.