Dropbox has been Comprimised

Public Service announcement:

1 Like

And this is an example of why you use a different password (and username if you can) for everything.

Password managers are great.

1 Like

Been using Lastpass also have it set up to change password periodically.

Similarly, I'm using KeePass2 on Windows, and KeePassX on Linux, after falling victim to someone getting my one password to rule them all.

I figured something happened with Dropbox when I got an email saying they were having users update their passwords on the 26th -- granted it said it was for passwords from mid-2012 and earlier.

Yeah I heard about this from the IT department at the university. So I changed it and researched a bit, because I thought it was strange that my phone and laptop didn't need to have the new password written in anywhere.

Turns out you only need the password when attaching a new device and from then on there is a key-file/certificate stored on your device. Which means I'm going to go around stealing my friends' keys when they are not looking and mess with their Dropbox just to prove a point. Also, imagine a virus/worm/infection on your device picking it up. hmm.. nice thought. I'm going to drop Dropbox in the near future.

This article is from 2011. I have not looked into if it's still exactly the same say, but alas, the keyword is still only used when setting it up, so they must still be using another form of identification and authentication of the connection.

https://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

What did they get the passwords in plain text? Nothing really said if the passwords were hashed our not, smh.

1 Like

Nonsense, eveyone knows that post-it notes underneath the keyboard are much more secure and immune to remote hacks ;-)

Oh, also 2FA, why do people still not set that up on everything that offers it?

2 Likes

I know a guy who writes his pw's in a notebook and puts said notebook into a locked safe.

I may or may not do that...

you can see haveibeenpawned.com to see if your included in the dump; Its not entirely fresh data, so if you changed your password or created your account in the past two years or so, you are not affected as far as I know

I quit Dropbox a couple of years back when it was revealed that they had shared the contents of your storage with "third party affiliates". Haven't kept up to date though I can't see why they'd change that as they defended it back then, after first having denied it.

1 Like

Same reason why I self host.

Good thing the email i used for dropbox is not linked to anything else, and the only file i have uploaded is a recipe for chocolate creme eggs.

i uesed to do that but now i have memorized 5 different pass words and have 6 variations of each,

same 5 passwords same 6 variations just different combinations.

ehh
my dropbox just has my cellphone camera backup
and some family photos
and porno of course
diff password for everything huzzah

Mine only has work stuff on it, including passwords.

When my boss decided back in 2011 that we should Dropbox, I told him it was a bad idea.
Just sent him a "told you so" mail with a screenshot of the haveibeenpwned summary of his account.

2 Likes

You can change your password now, but they've had your passwords for like 4 years.

1 Like

I haven't used Dropbox in years and recently I've started the move to internal services whenever possible, such as setting up an owncloud server to sync files between my devices and a gitlab server to manage my source code. I feel much safer knowing that the security of these services are in my hands and for the most part behind my firewall. I also use KeePass and have unique 64 character 380 bit strings whenever possible (WTF Paypal for 6-12 character password limit). At the moment the only external storage service I use is Mega.co.nz for external backups but I PGP encrypt everything before I upload.

True security is having nothing of value to anyone else.

1 Like

fuck my hentai collection NOOOOOO!!!!!

2 Likes