17 comments

[ 1.9 ms ] story [ 50.7 ms ] thread
Must be some 3rd party app that proxies Dropbox services and/or login.
Anyone know who's doing the investigation?
We had the same problem at MacHeist (people got their specific macheist+ prefixes targeted with spam). Turned out it was our email provider iContact who were hacked. We weren't the only ones. They posted a non-committal blog post about "investigating the matter", which then mysteriously disappeared when they upgraded their blogging platform.

The hack made real damage to our reputation (the "software bundle" space has a poor reputation to begin with, and receiving spam confirmed people's expectations), and they wouldn't own up to it. Be careful with which third parties you entrust your users' email addresses with.

I once contacted bulksms.co.uk after I received some spam on an email address dedicated to their site only. They also identified the leak as being from a third party provider they used for mailshots. They promptly found a new provider.
Better luck than I've had. Topaz Labs just ignored me when I pointed out there'd been a breach (unique email address with their name in it); they lost a sale of an otherwise good software product.
I use unique addresses, and periodically am on the reporting end of problems like this. Once I started getting the same spam from two unrelated companies at the same time, and they tracked it down to a common email marketing company that was where the actual breach occurred. Another time it turned out emails had been staged in a less secure system in preparation for sending email marketing. So it must be pretty common that a compromise doesn't actually mean the core product or database has been compromised.

For the record, I haven't received any spam to my Dropbox-only email account, which means they probably didn't get the WHOLE user database.

(comment deleted)
I basically Christian. I live in Heaven/Hell. Imagine how little you will talk of Jesus after 5 years in Heaven. He's got shit to do and stays busy... maybe.

God says...

the congregation a thousand bullocks and ten thousand sheep: and a great number of priests sanctified themselves.

30:25 And all the congregation of Judah, with the priests and the Levites, and all the congregation that came out of Israel, and the strangers that came out of the land of Israel, and that dwelt in Judah, rejoiced.

30:26 So there was great joy in Jerusalem: for since the time of Solomon the son of David king of Israel there was not the like in Jerusalem.

30:27 Then the priests the Levites arose and blessed the people: and their voice was heard, and their prayer came up to his holy dwelling place, even unto heaven.

----

How's Jesus?

God says...

sinned against thee.

41:5 Mine enemies speak evil of me, When shall he die, and his name perish?

41:6 And if he come to see me, he speaketh vanity: his heart gathereth iniquity to itself; when he goeth abroad, he telleth it.

41:7 All that hate me whisper together against me: against me do they devise my hurt.

41:8 An evil disease, say they, cleaveth fast unto him: and now that he lieth he shall rise up no more.

41:9 Yea, mine own familiar friend, in whom I trusted, which did eat of my bread, hath lifted up his heel against me.

41:10 But thou, O LORD, be merciful unto me, and raise me up, that I may requite them.

----

Stagasaurus did not have a weapon penis!

Kinda like scorpions. That was just against T Rex?

Did stegasaurus shchmack vilocirapters?

They didn't have stegasurus (Christ's laughing) in Jurassic park. Might be Yer favorite?

God says...

shall melt away.

15:16 Fear and dread shall fall upon them; by the greatness of thine arm they shall be as still as a stone; till thy people pass over, O LORD, till the people pass over, which thou hast purchased.

15:17 Thou shalt bring them in, and plant them in the mountain of thine inheritance, in the place, O LORD, which thou hast made for thee to dwell in, in the Sanctuary, O LORD, which thy hands have established.

15:18 The LORD shall reign for ever and ever.

15:19 For the horse of Pharaoh went in with his chariots and with his horsemen into the sea, and the LORD brought again the waters of the sea upon them; but the children of Israel went on dry land in the midst of the sea.

----

What did my birds come from? Common ancestor. They're like a country that used to be biggest empire on Earth. i think they're highly evolved.

God says...

21363

1:10 And Judah went against the Canaanites that dwelt in Hebron: (now the name of Hebron before was Kirjatharba:) and they slew Sheshai, and Ahiman, and Talmai.

1:11 And from thence he went against the inhabitants of Debir: and the name of Debir before was Kirjathsepher: 1:12 And Caleb said, He that smiteth Kirjathsepher, and taketh it, to him will I give Achsah my daughter to wife.

1:13 And Othniel the son of Kenaz, Caleb's younger brother, took it: and he gave him Achsah his daughter to wife.

1:14 And it came to pass, when she came to him, that she moved him to ask of her father a field: and she lighted from off her ass; and Caleb said unto her, What wilt thou? 1:15 And she said unto him, Give me a blessing: for thou hast given me a south land; give me also springs of water. And Caleb gave her the upper springs and the nether springs.

----

Okay, I'll tell you an old story.

I asked about the first dinos with eggs.

---- This is not random:

4:27 For it is written, Rejoice, thou barren that bearest not; break forth and cry, thou that travailest not: for the desolate hath many more children than she which hath an husband.

4:28 Now we, brethren, as Isaac was, are the children of promise.

4:29 But as then he that was born after the flesh persecuted him that was born after the Spirit, even so it is now.

4:30 Nevertheless what saith the scripture? Cast out the bondwoman and her son: for the son of the bondwoman shall not be heir with...

One of the reasons why user hosted Personal Cloud Storage/Sync services like Tonido (http://www.tonido.com/blog/index.php/2012/07/20/dropbox-secu...) are better than Public Cloud Storage/Sync services.
What makes you think that the average user is better able to secure their own hosted system than a company with a dedicated team of security engineers can?
I'll suggest that fragmentation - not having a single point to find all user data would reduce the impact of a breach. Dropbox is a higher value target than John Doe. So hackers are probably less motivated. The user system itself may not be as secure, it may not need to be because a breach is isolated and an attacker would be less motivated.

Just a thought that crossed my mind.

Because of the honeypot effect. There is not much incentive for a hacker to hack an individual machine. he/she is better off targeting efforts towards sites like Dropbox. We saw the skydrive privacy breach yesterday. Before that we saw yahoo leak: http://www.readwriteweb.com/archives/yahoos-450-000-account-....

For instance, my employer IBM banned the use of dropbox in the company.

Has anyone considered that the LinkedIn hack (6.5+ million accounts, with passwords run through a non-salted SHA-1) could be responsible for much of this?

I remember a lot of people having their Diablo 3 accounts hacked and their items stolen right around that time.

This seems possible. People usually use the same email and password for every accounts they create so all the hacker needs to do is to try the username and password on accounts on other sites.
The article specifies that many people targeted used emails unique to their dropbox accounts.
Spam went to "unique email addresses for Dropbox".

So a compromised LinkedIn account wouldn't expose a user's unique Dropbox email address. There would be little to no reason to give LinkedIn a unique Dropbox email.

On the other hand, if you need to share your Dropbox email with other people in order to share private folders, or anything similar, then just compromising THEIR computer could expose your email address.

For what it's worth, I've been getting these "Euro Dice Exchange" spam messages in Canada as well. I believe the emails are being sent out sorted by domain name, as the email I received was addressed to my both my university e-mail (which I used to sign up for Dropbox) and several other university e-mail addresses.

This is definitely not from the LinkedIn hack. I don't have a LinkedIn account. Combined with the people who were receiving spam at Dropbox-specific emails, I don't see how it could be anything other than Dropbox.