

Dropbox Says No Intrusions Found, Investigation Continues - irunbackwards
http://techcrunch.com/2012/07/20/no-news-is-good-news-dropbox-says-no-intrusions-found-investigation-continues/

======
kalleboo
We had the same problem at MacHeist (people got their specific macheist+
prefixes targeted with spam). Turned out it was our email provider iContact
who were hacked. We weren't the only ones. They posted a non-committal blog
post about "investigating the matter", which then mysteriously disappeared
when they upgraded their blogging platform.

The hack made real damage to our reputation (the "software bundle" space has a
poor reputation to begin with, and receiving spam confirmed people's
expectations), and they wouldn't own up to it. Be careful with which third
parties you entrust your users' email addresses with.

~~~
SomeCallMeTim
I use unique addresses, and periodically am on the reporting end of problems
like this. Once I started getting the same spam from two unrelated companies
at the same time, and they tracked it down to a common email marketing company
that was where the actual breach occurred. Another time it turned out emails
had been staged in a less secure system in preparation for sending email
marketing. So it must be pretty common that a compromise doesn't actually mean
the core product or database has been compromised.

For the record, I haven't received any spam to my Dropbox-only email account,
which means they probably didn't get the WHOLE user database.

------
gdeglin
Has anyone considered that the LinkedIn hack (6.5+ million accounts, with
passwords run through a non-salted SHA-1) could be responsible for much of
this?

I remember a lot of people having their Diablo 3 accounts hacked and their
items stolen right around that time.

~~~
ttran4
This seems possible. People usually use the same email and password for every
accounts they create so all the hacker needs to do is to try the username and
password on accounts on other sites.

~~~
woobles
The article specifies that many people targeted used emails unique to their
dropbox accounts.

------
eps
Must be some 3rd party app that proxies Dropbox services and/or login.

------
Kronopath
For what it's worth, I've been getting these "Euro Dice Exchange" spam
messages in Canada as well. I believe the emails are being sent out sorted by
domain name, as the email I received was addressed to my both my university
e-mail (which I used to sign up for Dropbox) and several other university
e-mail addresses.

This is definitely not from the LinkedIn hack. I don't have a LinkedIn
account. Combined with the people who were receiving spam at Dropbox-specific
emails, I don't see how it could be anything other than Dropbox.

------
diminoten
Anyone know who's doing the investigation?

------
garrym
One of the reasons why user hosted Personal Cloud Storage/Sync services like
Tonido ([http://www.tonido.com/blog/index.php/2012/07/20/dropbox-
secu...](http://www.tonido.com/blog/index.php/2012/07/20/dropbox-security-
breach/)) are better than Public Cloud Storage/Sync services.

~~~
biot
What makes you think that the average user is better able to secure their own
hosted system than a company with a dedicated team of security engineers can?

~~~
blaines
I'll suggest that fragmentation - not having a single point to find all user
data would reduce the impact of a breach. Dropbox is a higher value target
than John Doe. So hackers are probably less motivated. The user system itself
may not be as secure, it may not need to be because a breach is isolated and
an attacker would be less motivated.

Just a thought that crossed my mind.

