BreachExchange mailing list archives
Dropbox confirms it got hacked, will offer two-factor authentication
From: security curmudgeon <jericho () attrition org>
Date: Tue, 31 Jul 2012 21:53:38 -0500 (CDT)
---------- Forwarded message ---------- From: Richard Forno <rforno () infowarrior org> To: Infowarrior List <infowarrior () attrition org> Date: Tue, 31 Jul 2012 22:49:58 -0400 Dropbox confirms it got hacked, will offer two-factor authentication Spammers used stolen password to access list of Dropbox user e-mails. by Jon Brodkin - July 31 2012, 10:05pm EDT http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/ A couple of weeks ago Dropbox hired some "outside experts" to investigate why a bunch of users were getting spam at e-mail addresses used only for Dropbox storage accounts. The results of the investigation are in, and it turns out a Dropbox employee?s account was hacked, allowing access to user e-mail addresses. In an explanatory blog post, Dropbox today said a stolen password was "used to access an employee Dropbox account containing a project document with user email addresses." Hackers apparently started spamming those addresses, although there?s no indication that user passwords were revealed as well. Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter. "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts," the company said. Dropbox noted that users should set up different passwords for different sites. The site is also upping its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones. Dropbox has also set up a new page letting users view all the active logins to their accounts, and said it is planning "new automated mechanisms to help identify suspicious activity." At any rate, users may want to think about examining more secure alternatives, encrypting their files, or simply not storing ultra-sensitive information in Dropbox. You may recall that one year ago, a Dropbox screwup left all user accounts unsecured and accessible with any password for four hours. These mistakes haven't led to major problems for users that we know of just yet, but they don't inspire much confidence in Dropbox's security systems. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Dropbox confirms it got hacked, will offer two-factor authentication security curmudgeon (Aug 01)