Dropbox hires "outside experts" to investigate possible e-mail breach

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://arstechnica.com/security/2012/07/dropbox-hires-outside-experts-to-investigate-possible-e-mail-breach/

By Jon Brodkin
Ars Technica
July 18 2012

Dropbox users have been complaining for a couple of days about spam 
delivered to e-mail accounts they created solely to log into Dropbox. 
There have been no reports of unauthorized activity on Dropbox accounts, 
but it's happening to enough users that Dropbox is investigating the 
matter with its internal security team. The company has also brought in 
"outside experts" to find out if there has been a breach.

"We wanted to update everyone about spam being sent to e-mail addresses 
associated with some Dropbox accounts," a Dropbox representative told 
users on a support forum today. "We continue to investigate and our 
security team is working hard on this. We?ve also brought in a team of 
outside experts to make sure we leave no stone unturned. While we haven?t 
had any reports of unauthorized activity on Dropbox accounts, we?ve taken 
a number of precautionary steps and continue to work around the clock to 
make sure your information is safe. We?ll continue to provide updates."

The forum has six pages worth of complaints from mostly European users 
getting spam from "Euro Dice Exchange" and other online casinos and 
shady-sounding senders. While everyone gets e-mail spam, users raised a 
flag because the messages were often coming to accounts used only for 
Dropbox.

A Dropbox error one year ago left every single Dropbox account unsecured 
and accessible with any password for four hours. Given that Dropbox's 
business model depends on users trusting their data to the company, 
Dropbox has to be extra careful. But in this case, it's not yet certain 
there has been a breach. Some Dropbox users posting on the support forum 
and Twitter report receiving no spam, and the problem may be isolated to a 
small percentage of users.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.