Dropbox confirms it got hacked, will offer two-factor authentication

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: Richard Forno <rforno () infowarrior org>
To: Infowarrior List <infowarrior () attrition org>
Date: Tue, 31 Jul 2012 22:49:58 -0400

Dropbox confirms it got hacked, will offer two-factor authentication
Spammers used stolen password to access list of Dropbox user e-mails.
by Jon Brodkin - July 31 2012, 10:05pm EDT

http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/

A couple of weeks ago Dropbox hired some "outside experts" to investigate 
why a bunch of users were getting spam at e-mail addresses used only for 
Dropbox storage accounts. The results of the investigation are in, and it 
turns out a Dropbox employee?s account was hacked, allowing access to user 
e-mail addresses.

In an explanatory blog post, Dropbox today said a stolen password was 
"used to access an employee Dropbox account containing a project document 
with user email addresses." Hackers apparently started spamming those 
addresses, although there?s no indication that user passwords were 
revealed as well. Some Dropbox customer accounts were hacked too, but this 
was apparently an unrelated matter. "Our investigation found that 
usernames and passwords recently stolen from other websites were used to 
sign in to a small number of Dropbox accounts," the company said.

Dropbox noted that users should set up different passwords for different 
sites. The site is also upping its own security measures. In a few weeks, 
Dropbox said it will start offering an optional two-factor authentication 
service. This could involve users logging in with a password as well as a 
temporary code sent to their phones.

Dropbox has also set up a new page letting users view all the active 
logins to their accounts, and said it is planning "new automated 
mechanisms to help identify suspicious activity." At any rate, users may 
want to think about examining more secure alternatives, encrypting their 
files, or simply not storing ultra-sensitive information in Dropbox. You 
may recall that one year ago, a Dropbox screwup left all user accounts 
unsecured and accessible with any password for four hours. These mistakes 
haven't led to major problems for users that we know of just yet, but they 
don't inspire much confidence in Dropbox's security systems.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.