

Dropbox Breach: Fewer Than 100 Accounts Affected, One Person Actively Exploited - tilt
http://techcrunch.com/2011/06/24/dropbox-breach-fewer-than-100-accounts-affected-but-one-person-actively-exploited-it/

======
mgl
Nicely handled by Drew, congrats. From PR perspective the only thing missing
is a statement on how they are going to prevent such situations from happening
in the future.

~~~
mtogo
Drew should really be handling their PR. I'm not sure why they still let Arash
post anything publicly.

------
jerrya
I think the title is misleading.... One person was responsible for exploiting
up to 100 people.

~~~
edwardy20
Yeah it should be "One Person Actively Exploited up to 100 People".

------
Havoc
The part of one individual doing all the accessing can't be right. The dude
who reported it (on hn or reddit not sure) said he had his friend double check
it.

~~~
colonelxc
They may just be counting those who were actively exploited, and excluded the
cases where the guy and his friend were checking a few accounts. Since they
reported it, it would be fairly easy to isolate their activities from other
accesses.

~~~
VMG
Still, they should be more precise in their language.

------
ghurlman
I still maintain they should send an "all clear" email to people that weren't
accessed, just for peace of mind.

~~~
jerrya
I haven't even received my notice that there was a security breach to begin
with.

I wonder if Dropbox lists on its balance sheet a teflon shield, or jobsian
field of distortion generator....

~~~
chernevik
Apple's been disclosing theirs for years -- required to by GAAP -- but the
thing prevents people from noticing it.

These only appear when notice of them is helpful, say in court cases and such.
Sort of like using an eclipse to see a star through a gravitational lens. And
even then you can't remember the case, or its role in the reasoning, just that
Apple was totally not at fault.

------
rdl
This was a great letter, and Drew handled this perfectly. I am impressed.

------
jasongullickson
Yes it was a nicely worded email but without a file-level log of what was
accessed and when it's hard to know if you need to worry about this or not.

~~~
veidr
They really should have referenced in the email, but Dropbox does already have
a file-level timestamped activity log that you can access for your account
anytime:

<https://www.dropbox.com/events>

EDIT: Oops, my bad: this log only tracks add, edit, move, delete. It doesn't
show what files have been viewed/downloaded. Sorry for the noise.

~~~
jasongullickson
True however this doesn't appear to track "reads" (unless I'm overlooking
something?).

