
Dropbox Smeared in Week of Megabreaches - alanfranzoni
http://krebsonsecurity.com/2016/06/dropbox-smeared-in-week-of-megabreaches/
======
bogomipz
"CSID, an identity monitoring firm that is in the midst of being acquired by
credit bureau giant Experian."

Experian a few months ago had a breach whereby millions of T mobile customers
who had no idea that Experian was storing their data, had all of their
sensitive data stolen. Experian's "solution" to the problem was to offer those
who had their data stolen 2 years of _free_ credit monitoring. Think about
that for a moment - "we allowed your sensitive data that you didn't approve of
us storing to be compromised and so we will now offer you a 2 year service
after which you will be charged."

That is so completely outrageous, people should be out with pitchforks and
torches but you can't fight this stuff, these agencies are far too powerful.

Just to further underscore how outrageous Experian and the other two agencies
are - Experian notified people who had their data compromised using snail
mail! What kind of decision is that for a time-sensitive situation?!

Lastly the letter they sent to customers and I read my friend who was a
victims letter, said that the data that was compromised was data they were
storing on T Mobile's behalf, as if they were in no way culpable.

So I guess I this is their strategy going forward is to acquire a half-baked
and suspect security firm that will damage innocent companies reputations the
same way they themselves have damaged innocent people's credit and identities.

I would urge people to call the three big credit agencies - Trans Union,
Experian and Equifax and request that your credit be "locked." This means that
nobody can look at your credit profile, except for people you currently have a
line of credit with. You will be issued a pin and if and when you need to
apply for credit you can then unlock your credit profile and re0lock it
afterward. You need to re-up on this every two years which is insane as having
your credit profile locked should be the default and should be in perpetuity,
but you do what you can.

~~~
toomuchtodo
> I would urge people to call the three big credit agencies - Trans Union,
> Experian and Equifax and request that your credit be "locked." This means
> that nobody can look at your credit profile, except for people you currently
> have a line of credit with. You will be issued a pin and if and when you
> need to apply for credit you can then unlock your credit profile and re0lock
> it afterward. You need to re-up on this every two years which is insane as
> having your credit profile locked should be the default and should be in
> perpetuity, but you do what you can.

Keep in mind you will be charged for this.

[https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

> You'll need to supply your name, address, date of birth, Social Security
> number and other personal information. Fees vary based on where you live,
> but commonly range from $5 to $10.

~~~
bogomipz
By locking your credit however you are denying them the future business of
selling your credit profile. Think if everyone did it.

But yes it's completely outrageous - you have to pay someone you didn't
approve of having you data in the first place from giving it to another party
likely did't approve of also having it.

~~~
CrazyMusicians
Actually, freezing your credit does nothing to stop the bureaus from selling,
mining, combining or otherwise doing what they want with the data they hold
about you.

------
jpmattia
Buried lede imo: TeamViewer having similar issues. Lots of folks claiming it's
breached, TV denying it. A lot of potential mischief there, if breached.

[https://www.reddit.com/r/technology/comments/4m7ay6/teamview...](https://www.reddit.com/r/technology/comments/4m7ay6/teamviewer_has_been_hacked_they_are_denying/)

~~~
jasonellis
I have found no indication that my TeamViewer computers were hacked, but after
reading this for a few days I finally disabled TV on them last night and I'm
looking for other solutions.

After using TeamViewer for over 5 years, I started getting a handful of
invites on the service from random names about a month ago (I had never gotten
a single invite prior). That alone signaled to me that something may be amiss.
I'm afraid that where there is smoke, there's fire.

~~~
JorgeGT
Have you considered NoMachine NX? I found it to be more or less comparable in
terms of performance and settled on it because I wasn't very keen of the
centralized TV model.

------
JamesBaxter
Troy Hunt wrote an interesting post on how he verfies breaches recently[0]

The amount of fact checking tech "journalists" do means wrong information can
really spiral out of control. I wonder if Dropbox can sue?

[0][https://www.troyhunt.com/heres-how-i-verify-data-
breaches/](https://www.troyhunt.com/heres-how-i-verify-data-breaches/)

~~~
ghrifter
> tech "journalists"

ah the old cut and paste from one site's article, rearrange some words, grind
it through a thesarus-izer, then repost.

------
maxerickson
Lifelock should just be regulated out of existence. If a company can add $100
of value per year by pretending to monitor credit reports, the credit bureaus
can be instructed that whatever Lifelock is doing is table stakes for a
company that is selling evaluations of creditworthiness.

~~~
ccvannorman
Lifelock was just doing their job (they thought). Also they offer insurance of
up to $1M for damages as a result of ID theft. As far as ID theft continues to
be pervasive we need companies like LL.

~~~
dnm
What does that $1M actually cover though?

“But if someone takes out a mortgage in your name and now you owe the bank
$100k or more – nobody covers that, and that’s what they need to cover.”

[http://krebsonsecurity.com/2014/03/are-credit-monitoring-
ser...](http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-
worth-it/)

~~~
ccvannorman
Usually the banks take responsibility for that as it's their duty to do due
diligence (say that six times fast!). I've had my credit card # stolen plenty
of times and never been liable.

LifeLock's insurance covers court/lawyer fees/damages, IIRC.

------
syphilis2
One of my free credit monitoring services, which I received as compensation
from a previous data leak, alerted me last week that a few email accounts of
mine wound up in a dropbox. A few things I noticed:

The alert only says that the "Potential Site" of where the email was
compromised is listed as www.dropbox.com .

The option for changing a password in online mail clients is lost in the menu
clutter. In Gmail the process is to click _Menu Bubble_ > _My Account_ >
_Signing in to Gmail_ > _Password_. The issue I had is that at the 1st menu
level there are options for _Google+ Profile_ , _Settings_ , _Privacy_ , and
_My Account_ which all seem like valid places for the _Change Password_ option
to live. Each submenu is similarly cluttered, though when I found the correct
path it made sense in retrospect.

I can't imagine Grandma changing her Gmail password this way. Maybe Google
could replace the "Dvorak Keyboard" menu ( _Select Input Tool_ > _English
Dvorak_ ) with an _Update Password_ button. Is there a simpler process I'm not
aware of?

------
powera
So many people will believe anything a "hacker" says as long as it's bad for
them. In general, these 100 million password dumps are almost always complete
garbage, but everyone along the way says "better to be safe than sorry" and
ignores all the warning signs (in this case, that the file obviously wasn't
Dropbox credentials).

------
rcarmo
Strangely enough, my Dropbox client just asked me for a password for the first
time in... ages.

Says it's version 5.3.19.

------
jbandela1
I wonder if this file with the tumblr passwords was placed in an unprotected
shared dropbox folder. Thus, although the actual passwords were from tumblr,
the passwords were downloaded by "worm" via a dropbox "breach".

------
draw_down
Very irresponsible behavior.

~~~
xufi
Agreed, This happened to them before I believe. Besides Dropbox, I heard other
companies like Linkedin recently were hacked and thousands of users passwords
were leaked. I guess its safe to say in this day and age you can never be sure
sometimes

------
BrainInAJar
And they want in to your kernel...

