

 Dropbox confirms it got hacked, will offer two-factor authentication - palebluedot
http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/

======
mgurlitz
_> It turns out a Dropbox employee’s account was hacked, allowing access to
user e-mail addresses._

This is misleading.

 _> Some Dropbox customer accounts were hacked too, but this was apparently an
unrelated matter._

Unrelated how? What I read was: "Our investigation found that usernames and
passwords recently stolen from other websites... A stolen password was also
used to access an employee Dropbox account"

This article dangerously leaves the impression that an intrusion was made into
Dropbox's system to access the employee's account, and possibly an admin
interface. In reality Dropbox let a spammer with a valid email and password
look at someone's files.

~~~
deliciouscoffee
An employee account was compromised and privileged information (in this case
user email addresses) was accessed. The attacker exploited a flaw in dropbox's
password policy / authentication system to access the information. Dropbox is
modifying their systems and policies to prevent this sort of attack in the
future.

All that together certainly adds up to an intrusion and is well within the
definition of a "hack".

~~~
tlrobinson
_"a flaw in dropbox's password policy / authentication system to access the
information"_

What flaw? It sounds like a Dropbox employee was simply reusing a password
stolen on another site.

~~~
ewillbefull
How is that not a flaw in the authentication system?

~~~
skeletonjelly
Using a key to open a door that was designed to be opened with that key is not
a flaw in the lock mechanism. The fact that the user set that key to also open
something else is not the fault of the former lock.

~~~
ewillbefull
This is not at all how security researchers think of it. Security
vulnerabilities are very broad, they can be exploited through social
engineering, through incompetent employees who do not have rigorous password
standards, etc. If you narrow security vulnerabilities to coding mistakes,
you're neglecting your customers.

------
FaceKicker
I wish websites with user accounts would offer the option to "login via email"
- as in you'd type in your username (or preferably your email) and maybe a
captcha and then you'd login by clicking a link it sends via email afterwards.
Ideally having a password associated with the account at all would be
optional.

I have a Gmail tab opened just about 100% of the time I'm on the computer, so
this would be very convenient for me as an alternative to having to remember
passwords for sites that I visit once a month or less (and end up having to
get a "password reset" link via email every time I log in anyway), and then
I'd only have to keep my Gmail account secure (which I do via 2 factor).

~~~
yen223
In this case it wouldn't have helped, because the intruder apparently had
access to a Dropbox employee's email account.

EDIT: Disregard what I said, apparently the attacker had access to the Dropbox
employee's Dropbox account.

~~~
tlrobinson
Where do you see anything about the Dropbox employee's email account being
compromised?

~~~
yen223
You are right, I misread. Thanks for pointing that out :)

------
sillysaurus
Dropbox did _not_ get hacked. One of their employees used the same password on
multiple other sites, and one of _those_ got hacked. This is awful journalism.

~~~
jasonzemos
Security is fungible. You're applying some subjective standard that divides
what constitutes a hack and what doesn't. If I had to guess, you wouldn't
treat a buffer overflow where some code was executed the same way. This is
arbitrary.

Considering a dropbox employee, corporate information, and internal security
practices are on the line here: I think the author made the fair, ethical
call.

~~~
sillysaurus
No, the article is flat-out wrong. "Dropbox got hacked" means their system
security is breachable by a malicious attacker. This is simply not true.

~~~
yen223
I would think that if the attacker had access to a Dropbox employee's account,
which in turn gave him/her access to user accounts, that would constitute a
security breach.

~~~
sillysaurus
_if the attacker had access to a Dropbox employee's account, which in turn
gave him/her access to user accounts ..._

That didn't happen. The employee account merely contained a list of email
addresses.

~~~
arrrg
That’s not really a response, is it? User account data could be accessed –
because Dropbox was unable to protect your data. That’s not quite as awful a
access to user account but it’s still awful.

------
tomcorrigan
Meh. This has already been posted:
<http://news.ycombinator.com/item?id=4320429>

Also, kindly avoid the linkbait title, dropbox did not get hacked, some of its
users' account credentials were compromised on other sites.

~~~
jarek
> Also, kindly avoid the linkbait title

The title of this submission matches the title of the article, matching recent
HN policy. Users objecting to the phrasing may wish to flag the submission
instead.

~~~
tomcorrigan
I'm just going to quote the HN guideline back to you. > please use the
original title, unless it is misleading or linkbait.

~~~
jarek
Yep, the guideline does say that. That is why I said recent policy. There have
been several recent instances of submission title being edited to match the
article linked, in some cases when that title was misleading or provided
minimal context. Some examples here:
<http://news.ycombinator.com/item?id=4102013>

------
damncabbage
Most worrying quote for me:

 _Dropbox today said a stolen password was "used to access an employee Dropbox
account containing a project document with user email addresses."_

(What else is being left around in data dumps?)

~~~
LogicX
There's no mention of how many users were in that document. I've had a Dropbox
account for many years with a Dropbox specific email address and I did not
receive spam, so it must not have been everyone.

~~~
yen223
It appears that the attacker had a list of stolen emails and passwords from
_other_ compromised sites, so your Dropbox account would probably be safe.

------
chmars
IMHO confirms this incident the value of having an individual mail address for
each site, service etc.

Gmail has allowed for such individual mail addresses for years:

username+loremipsum@gmail.com

Example:

johndoe+dropboxcom@gmail.com

Mails addressed to johndoe+dropboxcom@gmail.com will be delivered to
johndoe@gmail.com. They are easy to identify, filter etc.

~~~
AkThhhpppt
That's not just GMail, that's all compliant email handlers; it's part of the
RFC. Unfortunately, it's not guaranteed that the site you're signing up to can
handle that address format - Facebook doesn't...

~~~
mgurlitz
While the RFC mandates the ability to send and receive email from
user+detail@example.org it doesn't require that it go to user@example.org.
It's an extension to the email standard, and you could have labels in another
form if you wanted to, e.g. inbox0-user@example.org
(<http://tools.ietf.org/html/rfc5233>)

------
jpalomaki
Very happy to hear they are planning to start offering two-factoring
authentication. Hopefully something that works with Google Authenticator.

For client side encryption I have good experiences from BoxCryptor on Windows.

~~~
buro9
I really hope that Dropbox use Google Authenticator.

The last thing I want is double the number of apps on my phone as every single
app has another 2-factor auth app to ship.

Just add yourself to Google Authenticator and be done with it. It doesn't
require a Google account, you can use Google Authenticator as the generator of
the 2-factor auth code and that's all.

LastPass uses Google Authenticator for 2-factor, and it works well.

One of the problems I've found with Dropbox is that I tend to use a shorter
and easier to type password because I enter it on my phone in addition to my
desktop.

Good passwords are great when you have a password manager, but in the app
you're stuck with having to type it in. So my Dropbox password is weaker than
I'd want just because apps mean I can't use a password manager. 2-factor can't
come soon enough for me.

On a related note, 2-factor is one of the weaknesses I want addressed. The
other one I'll bang on about is client-side encryption. If it's possible at
all for someone to access their systems I still want to feel sure that someone
can't access my files.

It's not that I limit my use of Dropbox, but I use it differently. That 1GB
file in my account... that's a Truecrypt volume. The other files are just less
sensitive.

~~~
tallanvor
How often do you have to log into your dropbox account? I hardly ever have to
log into the website, and you don't have to log in every time on your phone.

~~~
buro9
I do client work and frequently find myself onsite where I can't connect my
computer or phone to the network yet can use a computer on their network to
access the web.

So, a fair amount.

------
lgeek
Maybe they should offer client side encryption. You know, the kind that's not
reversible on their side of things.

~~~
emmett
1) What about this issue would have been helped by client-side encryption? A
valid username and password was used to access dropbox information, so it
would have gone right through client-side encryption.

2) Do you not enjoy features like the web interface and public links? Those
are one of my favorite parts of dropbox and they wouldn't work with client-
side encryption.

~~~
lgeek
> What about this issue would have been helped by client-side encryption

I was assuming that an employee account can in a more or less direct way
access user files. Either way, it's not the first time they've been
compromised and last time[1] client-side encryption would have certainly
helped.

> Do you not enjoy features like the web interface and public links?

The web interface could work with client side encryption. I wouldn't mind
having no encryption for publicly shared files.

[1] www.wired.com/threatlevel/2011/06/dropbox/

~~~
emmett
You assumed wrongly. They accessed an employees account and took a file out,
they didn't further compromise Dropbox's backend in any way. So in this
particular instance, client side encryption wouldn't have helped at all.

------
DigitalSea
Is it just me or has there been a lot of security mishaps like this for
various high-profile services? LinkedIn was a victim on a much larger extent
not to long ago. This is becoming ridiculous.

~~~
unreal37
This isn't on the same scale. Some user email addresses were in a spreadsheet,
and the employee's password was compromised. I bet every single day someone's
Gmail gets "hacked" if that's the standard for that.

~~~
DigitalSea
The point is it shouldn't occur on any scale. Even small scale security
exploits can turn into much bigger ones further down the track. For all we
know, we've yet to see the full consequences of this attack it could be
revealed that it's much more than an a spreadsheet of email addresses. The
very fact Dropbox made everyone change their password is proof enough that
even Dropbox aren't sure what hackers have taken or had access too..

------
timkeller
The most annoying part is the disingenuous email we all received tonight.

 _Recently, passwords have been stolen from some internet services. We've
reset your password._

I'd have been shocked, but ultimately more respectful of:

 _We've had a security violation. You can read about it here. Your account
wasn't affected, but we're resetting everyone's password just in case. So
sorry about this._

------
paulsilver
It disappoints me that a Dropbox employee might be using the same password for
a work account and anything not work related. It's bad enough that they might
re-use passwords internally, but I find that understandable.

However, using a work e-mail and the password you use at work on someone
else's system was stupid. You can have faith in your own security measures,
but not anyone else's. If you're going to re-use passwords, at least have a
work one and an everything else one.

------
theprodigy
I believe your dropbox needs to be secure as your email account because it
deals with storing your personal data.So offering 2 factor authentication is a
step in the right direction, like what gmail has.

Other than that dropbox can't do much about people using the same passwords
for different sites or social engineering attacks. You can educate and warn
people about it, but it's ultimately up to the user to follow through.

------
executive
Not surprising. Remember, we're talking about a service that at times lets
anyone login to another user's account without a password.

------
rocky1138
To increase security you can enable "email me when a new computer or app is
linked to my account" in the account settings.

It's not much, but at least you'll be notified when someone syncs their
computer with your dropbox or adds your dropbox to their phone.

------
trekkin
That's why client-side encryption is useful, regardless of what some "security
researchers" self-servingly say.

