Dropbox Breach: Fewer Than 100 Accounts Affected, But One Person Actively Exploited Security Hole

It’s been an incredibly rough week for Dropbox. On Monday, news broke that a bug in the service’s authentication software effectively made passwords optional for around four hours over the weekend — meaning that you could log into anyone’s account simply by entering their user name.

Given what Dropbox is used for — namely, syncing your most important files between computers — that’s a huge deal. Especially since the service has promoted its security features as one of its selling points. At the time Dropbox said that “much less than 1 percent” of users could have potentially been affected. Now we’ve obtained an email that Dropbox sent out this afternoon to users who were affected by the breach and it’s much more specific.

First, the good news: the scale of the attack affected “fewer than a hundred accounts” out of Dropbox’s 25 million total users. But according to the letter, those accounts were all accessed by a single individual. In other words, these weren’t accidental logins due to typos — someone discovered the hole and actively used it to access files that were not theirs. That’s obviously very alarming.

Dropbox isn’t commenting on the breach, so it’s unclear whose accounts this individual was targeting, or if the attack was targeted at all.

Here is one version of the letter that’s apparently being sent to users whose accounts were accessed, but did not have files viewed or downloaded — a second version indicates if files were in fact accessed. Note that the letter was written by Dropbox CEO Drew Houston, who offers to speak on the phone to anyone whose account was breached.

Subject: Important Dropbox Security Notice – Please Read

xxxx,

Earlier this week, we wrote to tell you about a security lapse at Dropbox. Today I am writing to tell you something I never expected to tell a customer. During our forensic analysis, we discovered that an extremely small number of accounts, including yours, were subject to some suspicious activity.

Our investigation revealed that at around xx:xx on x/xx/xxxx someone logged into your account. It is likely that your account was compromised by a third party. According to our records, neither your account settings nor files were modified. Information such as file and folder names would have been viewable, but our records do not indicate that any files were viewed or downloaded. Nevertheless, as a precaution we recommend that you take the following steps:

* If you had sensitive, personal, or financial information in your Dropbox or in the names of the files in your Dropbox account (for example, credit card numbers, bank account information, social security numbers) you should monitor your credit for any suspicious activity. You can learn more about identity theft at the FTC’s Identity Theft Site http://www.ftc.gov/bcp/edu/microsites/idtheft/ .

* We have made arrangements for you to have free access to a credit monitoring service. Please email us at support@dropbox.com if you would like to use this program. You may also want to consider canceling any credit cards whose information was located in the folders listed above.

* If you stored passwords in your Dropbox, please make sure to change those passwords as soon as possible.

* Again, we urge you to review your account for any unauthorized activity and inform us immediately about your concerns.

As we mentioned earlier, the security lapse occurred during a code update that introduced a bug affecting our authentication mechanism. We will continue our investigations, but as best as we can tell right now, a single individual took advantage of the lapse to access fewer than a hundred accounts. Our team has been working around the clock to understand what happened and to make sure that it never happens again.

I cannot express how deeply sorry I am. Dropbox is my life, and I know that we are only as good as the trust we have built with our customers. This should not have happened, and I am hopeful that you will give us the chance to make this right and regain your trust.

I am here and ready to answer your questions and do whatever I can to help. Please do not hesitate to call me at +x-xxx-xxx-xxxx. Or if you’d like me to call you just reply with your phone number and I’ll give you a call.

Drew


Drew Houston
CEO, Dropbox