We are a customer of theirs at my startup, and as far as I can tell Dropbox has made very few changes since the acquisition beyond changing the branding. So I wouldn’t take this incident to be an indicator of much on the cloud-storage side of the company.
Google and others normally have a 6 month grace period for bug bounty reports in acquisitions.
If you can get competent people to work for you while keeping Wall Street happy, sure, but there are much "cooler" companies across the street that Wall Street is more excited about, are hiring right now, and the competent folk are going there.
At the end of this extreme is Equifax-like companies that have leaks and lots of other issues. Before you ask why Equifax sucks so much, ask yourself: Would you work there? No? That's why they continue to suck.
While Dropbox isn't Equifax, it isn't OpenAI or NVIDIA right now.
Our implementation of their API was a bit of a mess so it can be hard to see through our own crap sometimes to give credit where its due haha.
hashed passwords, API keys, OAuth tokens, MFA...
Oh no.
April 24th they became aware of issue, reporting it over a week later. I'd also be curious on how long this problem went on before being detected on April 24?
I suppose more will come out in the coming days..
68 million accounts dumped: https://www.theguardian.com/technology/2016/aug/31/dropbox-h...
https://www.troyhunt.com/the-dropbox-hack-is-real/
now they first hash the password using SHA512 (with a per-account salt)
then they hash the password with bcrypt (with the default strength)
then they encrypt the password with a key that the application server runs with, but that is not stored in the database.
So yes, hashed and salted.
Not familiar with this area, how usually does it happen? Social engineering or some more "technical" ways?
Also, under normal (not hacked) circumstance, who usually would have access to these service accounts?
A service account is used to give limited permissions on one system to another system. Normally only that system would need access to them, not any human.
Their main benefit is that, since no person is trying to do their day job here, the account can be locked down to precisely the permissions it needs. The reality is that service accounts are usually given extremely permissive access initially and then forgotten about. This makes them juicy targets for attackers.
Hope they'll come around and add it at some point, and not just for businesses as hinted at when they acquired boxcryptor.
(Cryptomator and encrypted sparsebundles work great on Dropbox. Just annoying to manage)
https://blog.dropbox.com/topics/company/new-solutions-to-sec...
It just feels like feature gatekeeping to me, but no way for me to pay more to get this feature. But I also understand that personal users are not Dropbox's main focus.
> threat actor had accessed data including ... certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
> If I have a Sign account linked to my Dropbox account, is my Dropbox account affected? No. Based on our investigation to date, we believe this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.
If you linked your Dropbox account to a Sign account, wouldn't Sign have had an OAuth token (or similar) with permissions to access documents in Dropbox accounts? One imagines that leaked, if everything else did. Would they have been able to detect this as a distinct access pattern from someone, say, choosing a file to sign via the Sign interface?
Fast forward a decade and i've more than had my fill of self hosting stuff, so a couple of years ago i went all in on the cloud again, though with a bit of a different approach.
Stuff that is not really sensitive is uploaded "as is". Yes, that includes our photos. While i don't want our photo library to be "public domain", there is nothing there of particular interest to anybody but my family and I.
For sensitive stuff i use Cryptomator to end to end encrypt data before uploading them to the cloud. It has desktop and mobile clients that allows me transparent access to my encrypted files on the go.
So they also leaked data of people who are not their customers, and who never agreed to have their information collected.
I doubt that flies under the GDPR.
In the grand scheme of things, nothing matters and we’re all going to die. It’s been a while since I read the GDPR, but I don’t remember a section titled “personal data which is OK to leak because it doesn’t matter in the grand scheme of things *shrug emoji*”.
> You probably gave them to the person who then used Dropbox Sign to send you a document. If you were really worried you could have used a throwaway account.
Yes, you probably did. And that’s irrelevant. That data should’ve been deleted once it was no longer relevant. Almost no one goes around giving throwaway email accounts to acquaintances. Do you also suggest people have a throwaway phone number they give to friends and family, for when they upload it to a service like WhatsApp?
Why are they charging per-user? What exactly does that mean? A company will have one singular account and send documents to non-Dropbox affiliated entities, who aren't classified as users.
https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...
https://news.ycombinator.com/item?id=2678576 (46 comments)
This might be the first time a large company has actually apologised and admitted some fault. Colour me shocked.
I'm still unclear how much I'm impacted. I've used Dropbox Sign / HelloSign but always with my dropbox account. Resetting password and 2FA anyway, because why not.
[0]: They're asking people to reset the 2FA.
