
Dropbox investigating possible security breach - mjfern
http://edition.cnn.com/2012/07/18/tech/web/dropbox-spam-security/index.html?hpt=hp_t3
======
incongruity
What I can't seem to wrap my head around is why if someone actually breached
DB security that what they'd do with it is send _spam_. So, to me, that
suggests that whatever breach might have occurred must have been minimal or
via a non-critical system (i.e.: someone had an unencrypted copy of some set
of users email addresses, possibly for marketing purposes, and their machine
was compromised, etc.)

Otherwise, it just doesn't make sense that _spam_ is the first sign we'd see
of problems.

So, my fellow HN readers, what's the explanation for this?

~~~
crag
Or the opposite is true. Maybe the breach was major and the "hackers" aren't
in it for fame and glory. But cash. Number one rule of a "professional
hacker"; don't leave foot prints. That means you sell off the data you copied.
Piece by piece. Email addresses are the easiest to sell.

Time will tell though.

What's troubling to me is Dropbox calling in outside auditors (experts). Means
they _really_ have no ideas what is happening. If it is a hack, it's damn good
one.

~~~
rogerbinns
If Dropbox say there is no issue and there was no (serious) hack then it is
far more credible having outside auditors substantiating the claim. I'd be
more troubled if they didn't call in outside experts since Dropbox's existing
people and processes are what allowed whatever attack it was to happen in the
first place.

------
pedrobelo
Kind of a long shot, but their "forgot password" flow allows for username
enumeration attacks:

<https://www.dropbox.com/forgot>

------
nohat
I recommend encfs.

~~~
activepeanut
Speaking of encfs, has anyone else had problems using encfs under OSX Lion?
OSX would occasionally freeze on me, and when I eventually uninstalled encfs,
the problem went away. It might be a coincidence tho.

~~~
MartinMond
I've been using encfs for a long time now and I never had any issues, neither
on Lion nor on Mountain Lion (developer previews)

I can really recommend <http://boxcryptor.com/>

