Dropbox data breach may cause a spam hangover
Dropbox may suffer a spam hangover from its data breach
John P. Mello Jr. @jpmello
Mar 2, 2013 11:45 AM
Some Dropbox users are complaining about unusual volumes of spam directed at them and that they’ve linking to a data breach more than a year ago at the cloud storage service.
“I have an email address that is 10 random characters, uniquely used for Dropbox, and I got spam on it this week,” one forum writer noted.
“If they were spamming my domain, I would have received many more notices, but they only hit one specific address—Dropbox’s,” he continued. “I suspect the Dropbox emails were sold or compromised.”
Another forum member complaining about spam directed at an email address specifically created only for Dropbox use, revealed that the junk mail he received appeared to be a phishing attack involving a bank scam.
“Please be informed, that your most recent Direct Deposit transaction (No.243358739579) was cancelled [sic], because your business software package was out of date,” the spam said. “Please visit the secure section of our web site to see the details.”
The message was followed by a link that, no doubt, would lead whomever clicked on it into trouble.
A sympathetic forum member commiserated: “You are not alone in getting new spams today directed to your Dropbox-exclusive email address—they came to mine too, as well as to the email addresses of each Dropbox account that has shared a Dropbox folder with me.”
Dropbox denies a spam glut
Despite the complaints, Dropbox said it hasn’t been able to detect anything that the spam is out of the ordinary. “At this time, we have not seen anything to suggest this is a new issue, but remain vigilant given the recent wave of security incidents at other tech companies,” a Dropbox team member wrote in one of its forums.
The team member also threw some volunteer moderators under the bus. “[W]e want to apologize for some of the dismissive responses from our volunteer moderators—since they aren’t employed by Dropbox, they don’t have visibility into issues like this,” he wrote. “We want you to know that we’ve taken these reports seriously and began our investigation immediately.”
Last summer, Dropbox investigated a possible data breach into its systems. At that time, it said that there was no evidence that its systems had been breached and user data exfiltrated.
Spam complaints by users at that time were traced to data thefts at other websites, according to Dropbox.
The cloud storage provider did acknowledge that one of its employees had the password to his account stolen, and that a document containing user email addresses nicked from the account was used to spam those users.
Users concerned about their Dropbox security can activate two-factor authentication for their account. That way, if someone tries to login to your account from new location, Dropbox will ask for a security code that it sends to your cell phone.
This week Windows, iOS, and Android users received an additional measure they can take to secure their Dropbox data. A South Korean company, Fasoo, introduced a file encryption app for Dropbox that’s free to use during its beta stage.
The app, called DigitalQuick, uses strong encryption (AES 256-bit) and can be used to safeguard files on a Windows desktop, as well as in Dropbox. An OS X version is in the works, according to Fasoo founder and CTO Kyugon Cho.
In addition to encryption, DigitalQuick allows you to customize what can be done with a file when you share it with others, Cho said.
“Encryption alone isn’t enough,” she said in an interview. “We also give you control.”
For example, permissions and restrictions can be imposed on files or folders. They can be made read-only or editable.
In addition, the app will monitor user activities and track when and on which devices users log-in to ensure files are only accessible by intended recipients.