Dropbox gets hacked ... again
Summary: After last year's embarrassing data breaches, Dropbox promised to implement additional safeguards "to prevent this from happening again." Whoops, it just happened again.
Running a secure online service is hard work. It costs money and it requires nonstop vigilance.
It’s the kind of work that gets tested regularly. How a company responds to security challenges defines the difference between earnest startups and companies that deserve to graduate to the big time.
Dropbox just failed that test.
Several weeks ago, Dropbox announced it was investigating some suspicious incidents on its network. The online storage company, which has been a phenomenal success among consumers and small businesses, said it had “brought in a team of outside experts” to investigate the incidents.
And today the other shoe dropped. In a post on the Dropbox blog, VP of Engineering Aditya Agarwal acknowledged that the worst-case scenario had occurred:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
Keeping Dropbox secure is at the heart of what we do, and we’re taking steps to improve the safety of your Dropbox even if your password is stolen…
Those are reassuring words. They would inspire more confidence if they didn’t echo Dropbox’s equally confident reassurances the last time the company suffered a potential security breach.
Let’s flash back to July 2011, when Dropbox sheepishly admitted that it had inadvertently published code on its web site that allowed anyone to sign in to any Dropbox account without credentials:
In a blog post, Dropbox CTO Arash Ferdowsi confirmed that the problem occurred and blamed it on “a code update … that introduced a bug affecting our authentication mechanism.”
Dropbox claims the outage lasted nearly four hours. A letter from the CEO to an affected customer confirms that user accounts were accessed during that outage:
Earlier this week, we wrote to tell you about a security lapse at Dropbox. Today I am writing to tell you something I never expected to tell a customer. During our forensic analysis, we discovered that an extremely small number of accounts, including yours, were subject to some suspicious activity.
Our investigation revealed that at around 11:25 PM UTC (Coordinated Universal Time) on June 19, 2011 someone logged into your account. It is likely that your account was compromised by a third party. According to our records, neither your account settings nor files were modified, but data was downloaded from your Dropbox account.
Ferdowsi acknowledged, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” An update to his blog post adds the detail that “fewer than a hundred” Dropbox users were affected.
At the time, I said, “At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.” That obviously never happened.
Dropbox has built up an enormous reservoir of goodwill in its large and loyal user base. It is squandering that goodwill at a record pace.
Maybe it’s time for the company’s investors to turn it over to someone big enough to take security seriously.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Did they....
C'Mon
Ahem...
Bzzzzzttttt.
Yes, dropbox is not 5000 lines of code...
It was not like the hacker used the password to access some ultra high security area that was separate from the general users.
The hacker accessed an employees dropbox, most likely dropbox is taking the high road here and not pointing fingers at the employee or even the position of the person that it was accessed. What if it was a marketing intern who copied it over to do some work at home and forgot that they did? Was the list 6 months old? 2 years old? It does not say. This time you had a company be proactive about the issue, brought in outside help to do an audit and located the issue. It happens, get over it. Should we stop using MS because they have a vuln pretty much weekly? How about linux because there have been root security holes that have been reviewed by thousands of people over the years and missed? How about Apple, well actually boycott apple, their corp policy sucks and they refuse to acknowledge security vulnerabilities.
Here you are seeing a small company blossom and they are doing it quickly. Policies need to be put in place and they are being done. Anyone that has ever had to deal with actually writing the policies, getting em approved by management, getting them through legal, and then getting them followed knows that this can takes many months to years to get done. In the scheme of things, this sucks, but its really not even news worthy unless you have nothing else to write about.
Oh and as for me being a dropbox fanboy, not even a chance. I used it for about 2 months years ago and realized I have no real need for it. I also know that anytime you host stuff in the 'cloud' you have to expect there to be 0 security for it unless you host the cloud yourself.
Verification on new computers
Cloud storage security should one of their main concerns, especially dropbox because it's their main business. I would still be extremely upset if my account was hacked and files were stolen (although I doubt I have much that all but a select few would want to steal stored on dropbox).
The Skydrive way
Would never ever use Dropbox, Just don't trust them anymore.
Yet you trust skydrive?
2 Auth is a good idea
The main difference is what Ed would like you to believe, that dropbox was hacked, is factually incorrect. A single file was downloaded from a single user (that happened to be an employee).
Should they require the double auth even for you to view it from the website? If so you have to double auth everytime you clear your cookies. This does not seem like the actually had downloaded the files via the client, just that a single file was downloaded which more likely than not would have been through the webclient.
Dropbox security
Dropbox - 2 security breaches during one year
SKydrive - 0 security breaches during 6 years
You choose...
Bingo
But online security is NOT an option, or free ticket to corner cut. Nor is putting profits before battening down the hatches. Dropbox needs to give itself a swift kick in the ass, or others will do it for them. Gladly.
Ahem indeed
One is not very observant
So?
Also, you claim to be a security expert and are silent as the grave when there are flaws by a "certain vendor" of software.
Lastly, your defensiveness is highly amusing.
People reuse passwords across sites
It makes totally sense that a limited, illegitimate use of valid credentials does not raise alarms at dropbox. You do not need much spam to cause a stir, but you do need a lot of such traffic to be able to distinguish it from legitimate traffic or even single incidents of users passwords being breached by their own carelessness.
How exactly is dropbox to protect against users using the same passwords across sites and the passwords being breached on another site?
I'm with those that believe that it is a little unfair to dump this on dropbox.
Credentials are going to be reused across sites
Something's gotta give, and soon, or we'll all become inevitable (inexorable) pawnage. Maybe it's time to mass adopt the measures the banking houses* have employed, to at least some degree of success. And even within that more in-depth framework, there's room for improvement.
[* Doesn't prevent the brass monkeys in the towers from pilfering their customers from within, but it's getting tougher to breach their cribs from outside their moats.]
Next news we read: ZDNET was hacked...
Bzzzztttt? :)
Yes, they were right to bring in outsiders
But more importantly, cases were customer accounts are being accessed because those customers are reusing passwords requires a deep look outside of Dropbox. The investigator basically needs to infiltrate the world of stolen login credentials. I have no idea of the numbers, but I very strongly suspect that the for every case like Sony or LinkedIn where the breach and data were made public, there are many times more that are not made public.
So an investigator needs to find out what usernames and passwords have been discovered through breaches at other sites. That involves getting a hold of data that tends to be bought and sold among the criminals, or asking for help from someone who already has access to that.
I hope you realize that you (Ed Blott) are shooting yourself in the foot with articles and comments like this. You cry wolf and display a deep failure to understand how password security works (or fails to work). When you do report on real security problems, I'm not sure that anyone in the business will actually believe you.
-j
You are wrong.
Still Being Unfair
sadly....