Dropbox: "We wuz hacked"

A couple weeks ago, a few hundred Dropbox users noticed they were receiving loads of spam about online casinos and gambling websites, at email addresses those users had set up only for Dropbox-related actions. The online file storage service now admits that hackers snagged usernames and passwords from third party sites, and used this data to break into those Dropbox users' accounts. Dara Kerr, reporting for CNET:

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post today. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."

Over at Ars Technica, Jon Brodkin has more. Evidently, the illicit access happened because a Dropbox employee’s account was hacked.

Dropbox noted that users should set up different passwords for different sites. The site is also increasing its own security measures. In a few weeks, Dropbox said it will start offering an optional two-factor authentication service. This could involve users logging in with a password as well as a temporary code sent to their phones.

Good to hear. Google is another popular service that offers such two-step authentication for its services, and I'm a big fan of that. And, of course, it's always smart not to use, say, the same easily-cracked password for Dropbox that you do for your onling banking.


  1. Storing critical information anywhere but on hardware that is under my physical control (except for the one credit card number I use for online purchases)??

    No way.  Fuck that naivete.  Seriously.

    1. I agree. I’m pulling (syncing back) my Google drive items and investing in a 256GB TD. 

      I don’t need most of the crap I have anyway. I’m 48, the drive will be just fine till I die. 

    2. It depends. We’ve got this great internet thing but it’s still a pain in the ass to synchronize data between to private machines in different places which are both connected to this internet, unless you are using some sort of cloud service.
      (the other way I know is to have both machines online at the same time, use DDNS, have a VPN server running on one, a client on the other, log in, mount the remote partition and finally be able to run backintime and rsync or whatever your favourite backup and synching software may be — pretty roundabout to just using a cloud service, although it wouldn’t have to be)

      Also, I am using the cloud (spideroak in my case) for backups. I’ve already had a fire in the apartment once (but got lucky), so I will not confine important data to just one place. Spideroak’s a lot more focused on privacy than Dropbox & co., so I’m reasonably sure my data won’t fall into other people’s hands. Still thinking twice about what to backup there.

  2. Is it really so easy to hack this shit that people do it in order to send out spam? 

    I imagine dropbox is now paying someone to trump up a story about the 15 people that had 12345 as their passwords.

  3. The Ars Technica headline is very misleading. According to the sources they link, it was OTHER websites that were hacked and lost passwords, not Dropbox. The Dropbox issues occurs when the user used the same password on Dropbox as on a hacked site.

    Reusing passwords is a huge problem but it’s not a hack of “Dropbox” by any normal use of the word “hack”. And yes, a Dropbox employee lost a file of email addresses but lost email addresses lead to spam, not hacks of people’s accounts.

    A better but less sensationalistic headline would be “one more reason to get a password manager and use unique passwords”.

  4. “sent to their phones”

    Great, then hackers will get our phone numbers too in the next turn. :)

  5. Thumbs up. Short message from Europe (may not apply in the US): Grrrrreat, I’ll give them a phone number which can be tracked to my real name, my address, and my bank account. (And yes, we do have to register with an official ID even when buying a pre-paid SIM.)

    Two-step my a**, will ya!

Comments are closed.