Just searched in my Spam folder for the email address I only use for Dropbox et voilà: I got the spam messages mentioned. After the password-gate last year (http://blog.dropbox.com/index.php/yesterdays-authentication-...) this is the second major security breach by a company I (and many people I know) have a lot of data entrusted to... This really sucks!
Whats even worse: The first reports came in (from users!) over one day ago and the forum thread seems to indicate that they still have no clue what happend!
[Update] One possibility might be, that dropbox is not the culprit after all but that the spammers started to realize that people use those service-specific addresses more and more and they just send out emails to [some-service-name]@[some-domain]. At least my address is dropbox@[mydomain].
While it appears plausible (likely, even) that Dropbox is the source of the disclosure, it's not verifiable as fact until someone identifies the method used to obtain the email addresses. This makes the title inappropriate.
Malware frequently targets address books and browser forms as a means of harvesting email addresses. Not saying that it can't be Dropbox, and I'm not saying that it's even unlikely, but years of troubleshooting have taught me not to name the root cause until I can verify it myself. This is even more true when you're putting someone else's reputation on the line.
It also often targets specific applications to steal credentials from. I know there have been badwares that harvest saved Steam account names and passwords (hopefully they're stored more securely now, but who knows?), and the same could be true for Dropbox email addresses.
The address book scenario or dropbox breach both seem more likely, but it's worth keeping in mind.
I don't see any confirmation in the forum that the "e-mail addresses of users" was leaked by Dropbox. It also appears to be mainly Euro-centric accounts. So while there is certainly a problem and it is very likely originating with Dropbox, the title is quite misleading and overly condemning given the known facts.
I've been personally affected by this leak. All the e-mail addresses that I am now receiving spam on have only been used for Dropbox purposes and nothing else. In addition this was over a year ago.
So - email only used for dropbox, last transferred over the web a year ago: where else would it have been leaked from?
But this doesn't mean anything though right since all encryption happens clientside right? Oh...wrong service. This is Dropbox so they have the key on their end.
Wuala can deduplicate encrypted data. The encryption is a little bit weaker than standard encryption (because you can tell if two users are hosting the same file), but it's not possible to determine a file's content from the cipher text (if the file is unique).
If the user's computer is compromised, a simple SQLite query run against the Dropbox configuration database would reveal all Dropbox email addresses in use by that user.
If the user's email is compromised, the Dropbox confirmation email would be easy to locate and harvest, either from their mailbox, or their mail hosting provider's delivery logs.
(Usually, however, malware simply scans for all incoming email addresses, and then reports them to a central authority for later spamming.)
EDIT: As pointed out elsewhere in this thread, the email address <dropbox@yourdomain> is trivially guessable by dictionary spam attacks.
There are many routes to this information leaking. It is not at all apparent whether it's Dropbox yet.
Given that Dropbox security is actively responding in the linked forum, it seems as though this HN post - submitted by one of the users posting in that thread as "affected" - is solely to create "buzz", rather than to share news with Hacker News.
As pointed out by users in the forum post, the compromised e-mail addresses have been used not on just one Dropbox account but several. Additionally those e-mail addresses were not just trivial guesses like dropbox1@domain.com or dropbox2@domain.com, or at least they were for me.
Maybe I'm missing something here, but where else could a non-guessable e-mail address which was never used anywhere else been leaked from if not Dropbox itself?
Offhand, it could be leaked from your hard drive or any backup thereof, from email stored on any of your desktop or mobile devices, or from your email provider's mail stores or mail logs. There's probably other ways too.
EDIT: Apps. Any app you've ever authorized to use your Dropbox account could have leaked the email address - for instance, via plaintext logs, or malicious behavior, or well-intended but stupid behavior - by writing the email address in plaintext to disk, or uploading it to a remote server and then losing control of it there.
Through a compromised system. As noted above, and in many other places, there are many attacks that focus on harvesting email addresses. Until the exploit is verified, you cannot say for a fact that the disclosure is Dropbox's fault, you can only say that it is a probable source.
All signs point to Dropbox (or a 3rd party app linked to Dropbox) as the source of the leak:
* Multiple users with email addresses unique to their Dropbox account are reporting spam. It's unlikely these individuals' computers or email accounts were all compromised at the same time.
* These same users aren't reporting spam on their other unique addresses or catchall accounts. Some of them are non-trivial addresses that would be hard to guess. It's unlikely to be a bot guessing email addresses.
I use a specific "MYNAME-dropbox@MYDOMAIN.com" email address for Dropbox and I can confirm that my Dropbox-specific address has NOT received any SPAM messages.
The only messages that have ever been sent to that specific address are from Dropbox themselves...
My generic @gmail.com email address has yet to receive any casino specific spam either - and i'm from .de so it seems it has been guesswork on the part of the spammers?
A quick browse through my domain's catchall spam folder shows an e-mail addressed to techdirt@mypersonaldomain. I don't have a techdirt account -- nor have ever used this e-mail address anywhere. Yes, spam bots make guesses, folks.
The Internet would be a better place if people would stop, take a deep breath and think before they type.
Good idea: Let the dropbox folks know that you received spam to a custom address tied to their service and let them look into it, whether it be a directed spam campaign or a possible leak.
Bad idea: "OMG!!1! Dropbox is pwn3d! Admit it! Apologize for your wrongs!"
Here's one way to get people's email addresses. For what it's worth, I emailed DropBox about this a long time ago (months ago) and didn't even get a reply to my email!
If you use your DropBox referal code, on this page:
You will see a list of peoples email addresses that clicked the link and signed up. Unbeknownst to them you have their email addresses.
We have hundreds of these email addresses in our account as we have been promoting DropBox on our website for a long time. The referral status page also shows information about how far through the install they are, when they signed up etc.
This is bad because it makes phishing quite easy.
Perhaps not the source of the spam, but nonetheless still a bad execution in my opinion.
I've had the same issue with box.net a few weeks/months ago. I only signed up for their service and never really used it, and I used a one-off email address that is randomly generated and used only for the service. I do this regularly now. With each service I subscribe to, I first of generate a unique random email address, so if I start to get spam, I can either block this address only, or at least know where it was leaked...
28 comments
[ 3.0 ms ] story [ 78.5 ms ] threadWhats even worse: The first reports came in (from users!) over one day ago and the forum thread seems to indicate that they still have no clue what happend!
[Update] One possibility might be, that dropbox is not the culprit after all but that the spammers started to realize that people use those service-specific addresses more and more and they just send out emails to [some-service-name]@[some-domain]. At least my address is dropbox@[mydomain].
So lets hope for that...
Given their previous problems, you would think they would be on top of this immediately.
"Hi all,
We are actively investigating your reports. If you have any additional information, please email security@dropbox.com, and we’ll be sure to follow up
Joe"
Malware frequently targets address books and browser forms as a means of harvesting email addresses. Not saying that it can't be Dropbox, and I'm not saying that it's even unlikely, but years of troubleshooting have taught me not to name the root cause until I can verify it myself. This is even more true when you're putting someone else's reputation on the line.
The address book scenario or dropbox breach both seem more likely, but it's worth keeping in mind.
// I did change the title to not mislead readers.
If the user's email is compromised, the Dropbox confirmation email would be easy to locate and harvest, either from their mailbox, or their mail hosting provider's delivery logs.
(Usually, however, malware simply scans for all incoming email addresses, and then reports them to a central authority for later spamming.)
EDIT: As pointed out elsewhere in this thread, the email address <dropbox@yourdomain> is trivially guessable by dictionary spam attacks.
There are many routes to this information leaking. It is not at all apparent whether it's Dropbox yet.
Given that Dropbox security is actively responding in the linked forum, it seems as though this HN post - submitted by one of the users posting in that thread as "affected" - is solely to create "buzz", rather than to share news with Hacker News.
Maybe I'm missing something here, but where else could a non-guessable e-mail address which was never used anywhere else been leaked from if not Dropbox itself?
EDIT: Apps. Any app you've ever authorized to use your Dropbox account could have leaked the email address - for instance, via plaintext logs, or malicious behavior, or well-intended but stupid behavior - by writing the email address in plaintext to disk, or uploading it to a remote server and then losing control of it there.
* Multiple users with email addresses unique to their Dropbox account are reporting spam. It's unlikely these individuals' computers or email accounts were all compromised at the same time.
* These same users aren't reporting spam on their other unique addresses or catchall accounts. Some of them are non-trivial addresses that would be hard to guess. It's unlikely to be a bot guessing email addresses.
The only messages that have ever been sent to that specific address are from Dropbox themselves...
The email-address i signed up with and the one that is attached to my account is @gmail.com
However, i've recently invited 2 people with my personal @gmx.de email (using the iPhone app) and guess what...
I've got Euro Dice spam in my spamfolder there :(
The Internet would be a better place if people would stop, take a deep breath and think before they type.
Good idea: Let the dropbox folks know that you received spam to a custom address tied to their service and let them look into it, whether it be a directed spam campaign or a possible leak.
Bad idea: "OMG!!1! Dropbox is pwn3d! Admit it! Apologize for your wrongs!"
If you use your DropBox referal code, on this page:
https://www.dropbox.com/account/bonus
You will see a list of peoples email addresses that clicked the link and signed up. Unbeknownst to them you have their email addresses.
We have hundreds of these email addresses in our account as we have been promoting DropBox on our website for a long time. The referral status page also shows information about how far through the install they are, when they signed up etc.
This is bad because it makes phishing quite easy.
Perhaps not the source of the spam, but nonetheless still a bad execution in my opinion.