Dropbox Security Breach

[ThatPlace928]

I have a few customers who use Dropbox. How worried should they be about this breach and what can be done to make it more secure on their ends?

Has anyone with Dropbex been contacted and, if so, how were you contacted? Did they send a link to provide a new password?

"In response to the hack, Dropbox says that they are contacting all affected individuals with detailed instructions to enhance their data security. Additionally, their security team has reset the passwords of those affected."

Dropbox Sign confirms hack that gained unauthorized access to users’ personal data

Dropbox reported a breach affecting its electronic signature service, Dropbox Sign, which allowed unauthorized access to users’ emails, usernames, phone numbers, and passwords.

www.ktnv.com

 

[britechguy]

Did they send a link to provide a new password?

On that count, I sincerely hope not, as it encourages "bad behavior" on the part of end users.

It's one thing if the user did something to trigger a link to be sent, another if it just lands in their inbox, regardless of who sent it. Instructions for accomplishing a password reset by "manual login" to their site would be much better.

 

[ThatPlace928]

On that count, I sincerely hope not, as it encourages "bad behavior" on the part of end users.

It's one thing if the user did something to trigger a link to be sent, another if it just lands in their inbox, regardless of who sent it. Instructions for accomplishing a password reset by "manual login" to their site would be much better.

That's what I'm wondering. I have a few customers who use Dropbox and I'd like to be prepared to help them, if needed. It says Dropbox reset the passwords of those affected but what does that even mean? Maybe they have to go through "forgot my password" to reset it themselves? Or was a reset link provided in an email?

 

[YeOldeStonecat]

I would go have your customers change passwords...regardless of if DropBox kicked the password reset. Part of the breach was the bad actors obtaining OAuth tokens...and access to APIs....thus...they can "reach into the DropBox account".

And..of course...since it's an online service, MFA should be enabled. Check MFA devices in the account, kick out any your client doesn't recognize.

 

[ThatPlace928]

I would go have your customers change passwords...regardless of if DropBox kicked the password reset. Part of the breach was the bad actors obtaining OAuth tokens...and access to APIs....thus...they can "reach into the DropBox account".

And..of course...since it's an online service, MFA should be enabled. Check MFA devices in the account, kick out any your client doesn't recognize.

I'm not familiar with Dropbox, unfortunately, but will do my best and advise my clients to manually change their passwords.

 

[timeshifter]

Everyone seems to be skipping over the fact that the breach affected Dropbox Sign, not plain Dropbox.

"The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.

"Another nugget of positivity is that Dropbox hasn't seen evidence that its other products have been impacted. That may be because, as detailed in the blog post, "Dropbox Sign's infrastructure is largely separate from other Dropbox services.""

I had never even heard about Dropbox sign until today. While it's good to be cautious and practice good security habits, the sky is not falling for general Dropbox users.

 

[ThatPlace928]

Everyone seems to be skipping over the fact that the breach affected Dropbox Sign, not plain Dropbox.

"The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.

"Another nugget of positivity is that Dropbox hasn't seen evidence that its other products have been impacted. That may be because, as detailed in the blog post, "Dropbox Sign's infrastructure is largely separate from other Dropbox services.""

I had never even heard about Dropbox sign until today. While it's good to be cautious and practice good security habits, the sky is not falling for general Dropbox users.

Thank you for that. I'd never heard of Dropbox Sign until today either. I appreciate the distinction.

 

[britechguy]

Everyone seems to be skipping over the fact that the breach affected Dropbox Sign, not plain Dropbox.

I noticed this, but plead guilty to skipping over that detail in my response here. I'm with you in that this probably has a limited impact since Dropbox Sign is not nearly as ubiquitous as "plain" Dropbox.

 

[YeOldeStonecat]

Everyone seems to be skipping over the fact that the breach affected Dropbox Sign, not plain Dropbox.
Dropbox users.

No I didn't..I believe it's SSO now since they bought/merged the service....thought they integrated the login last fall/winter...not positive. But..don't care enough about dropbox...don't use it (only have an account to get files from others)...don't resell it..don't support it. If the creds are "SSO"..the same creds and OAuth can be used to step across into DropBox. And...even DropBox themselves aren't 100% positive about it. Even if it is not SSO yet (nor will ever be)...I'd not 100% feel comfy in their words from page "and believe that this incident was isolated"...and I'd want to be positive I changed my password "just in case" the accounts somehow share authentication at the entrance.

 

[YeOldeStonecat]

Just tested...I can sign into DropboxSign...right from my DropBox account..they cross pollinate.