Dropbox Spam

he Dropbox blog reports that some accounts one their system were compromised using credentials found in other password breacThes.

Lesson 1 : When you run a big public service, your security team may want to find lists of stolen accounts.  Either cracking hashes themselves or being plugged in with those that do.   But at the very least download the plaintext passwords like occurred in the Yahoo hack.   Check the usernames / passwords against your own system and force resets where necessary.

A couple weeks ago, I saw an article where Microsoft was doing exactly that.   Unfortunately the blogger I was reading hates Microsoft and was reporting it as Microsoft (corporate) accounts being hacked rather than Microsoft Live accounts having their passwords reset.

Even if you aren’t running a big public service, you should be on top of it.

Next, Dropbox revealed that one of the accounts that was breached belonged to a Dropbox employee.   That account contained a project document with user email addresses.   Those email addresses are believed to be the cause of spam received by Dropbox users at email addresses created specifically for Dropbox.

Lesson 2 Control access to your proprietary documents

Of course Dropbox probably trusts themselves, but the rest of us are shaking our heads.

Dropbox is implementing two factor authentication, and the ability to see current logins to your account.   That would have been a good idea to implement in the first place.   Apparently convenience was more important than security.

Lesson 3 Set a unique password for each website you use.
Internet users keep relearning that one.   But many of us have a decade of password reuse to  sift through.  It takes a while to get that done.   The Dropbox blog recommends 1password.   I recommend LastPass.

There is nothing new in this post incident report from Dropbox.

I notice Dropbox uses Google Apps for Domains (your own domain Gmail).   I wonder if Dropbox is taking advantage of multifactor authentication on those accounts as well.   As we saw with Incapsula, if you can get an admin account reset you can get access to existing Dropbox email accounts which helps with other password resets and the password may even be in the mailbox.