Hacker News new | past | comments | ask | show | jobs | submit login

I don't know where else to bring this up, and had no idea how to discuss it when it happened. So i'll do it here, in this excellent thread of Security discussion.

Dropbox doesn't send an email notification, or anything of the sort, when adding a computer to your Dropbox account.

I discovered this, when one day I realized some of my files in Dropbox were deleted. Specifically my 1Password file.

I logged in to check things out, and discovered that there was a weird computer added to my account. I promptly changed my password to dropbox, did a recover of my 1password file, changed the master password of that, then went through and changed passwords of my most important information stored in 1password.

The fault lied with me, in that my dropbox account was still using my temp 'testing this service out' password I'd used when i first signed up. Stupid me. My 1password master password was already very strong so I wasn't highly concerned.

What ticked me off, was that there was absolutely no notification or verification process when adding a computer to your Dropbox account! I wrote Dropbox, and their only response, after MANY days, was 'make sure your password is strong'.




On the security page you can turn on email notifications for system additions: https://www.dropbox.com/account#security

On your account page you can enable RSS feeds. The home page then has a link to the feed, which I have in Google Reader. It includes all file changes, as well as machine additions and removals.


The email notifications for System additions most certainly didn't exist when I wrote Dropbox about it. I did however, know about RSS but didn't choose to use that as a notification system (and wasn't aware it notified about machine additions or other system stuff).

Thanks :)


Thanks for this, as well.

I had perhaps a dozen or so old entries on there. Now, I don't know if there are actually any serious security implications here, especially since most of those instances are genuinely defunct. However there's no sense in leaving them around if I'm not using them anymore. Maybe it's worth checking out and pruning? I don't know.


FYI: They added these notifications recently.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: