Dropbox major breach: change your password asap

Dabop said:
I asked the guys I work with (its lunchtime atm) who uses their phone to check emails- all 5 of us do
I am the only one with a password (4 digit pin no actually) on my phone
all of us have our emails open (without asking for a password) when our email apps start up

So I am the only one of 5 that if I lost my phone, would stand a (small) chance of not having their emails compromised

I checked and I can change my password on my email without having to know the old one- so having any of the other 4 phones, I could easily change their email passwords to a new one.
Using sms's as a second layer of defence wouldnt help as the sms would go to the phone I am using, so I would have that too


Same if the forum introduced an sms required to change password- I could go to the forum (like most I have it in my favs on the browser), change the password on the email(hence lockig out the true poster) change the password on the forum (via access to the email) and introducing sms verification would do nothing (as an sms would be sent to the very phone I am using!!!)

Interesting conundrum- at best it would provide a very small (tiny really) level of extra security, and with the number of people that regularly swap providers and often getting a new phone number, an sms could actually prove to be quite a turn off in user usefullness
Before the advent of smart phones- an sms would indeed been a useful security provision, these days- bah- its like providing an old skeleton lock on a brand new house- totally useless
Click to expand...

Your IT is horribly setup and incredibly insecure, a second factor can't help if the basics aren't setup correctly (adding lipstick to a pig).

Using SMS as a second factor is only helpful when the first factors are setup, and you have a separate secure system setup to unlock the cell phone (fingerprint, iris or secure pass code).

In a normal situation where people use the most basic and obvious security measures adding a second factor increases security radically.
Basic and obvious equals:
  1. Secure unlock system on phone.
  2. Strong password on email.
If you fail at either of theses two there is zero point in adding more security layers.
 
paulhutch said:
Your IT is horribly setup and incredibly insecure, a second factor can't help if the basics aren't setup correctly (adding lipstick to a pig).

Using SMS as a second factor is only helpful when the first factors are setup, and you have a separate secure system setup to unlock the cell phone (fingerprint, iris or secure pass code).

In a normal situation where people use the most basic and obvious security measures adding a second factor increases security radically.
Basic and obvious equals:
  1. Secure unlock system on phone.
  2. Strong password on email.
If you fail at either of theses two there is zero point in adding more security layers.
Click to expand...

I think the message here is do not have websites send password resets to the email that is on your phone. People need at least two email addresses.
1. On your phone.
2. On your desktop or other device you leave at home.

It is the second one that you tell organisations is your email address. It is far less likely that someone will steal your home computer than your phone.
 
paulhutch said:
Your IT is horribly setup and incredibly insecure, a second factor can't help if the basics aren't setup correctly (adding lipstick to a pig).

Using SMS as a second factor is only helpful when the first factors are setup, and you have a separate secure system setup to unlock the cell phone (fingerprint, iris or secure pass code).

In a normal situation where people use the most basic and obvious security measures adding a second factor increases security radically.
Basic and obvious equals:
  1. Secure unlock system on phone.
  2. Strong password on email.
If you fail at either of theses two there is zero point in adding more security layers.
Click to expand...

These are privately owned phones, so each individual owner is `the IT department' and they are likely to be fairly representative of how such phones are set up. My own is the most secure of the lot, and as I use a second `nonpersonal' yahoo account for forum signups and the like, my personal details are relatively safe lol

The thing that continues to amaze me is how little most people do actually think about online security, my email accounts NEVER contain my real name in them (I HATE IT dept that default to first name second name at company dot com). Same with this push to `stop internet trolls' on comments etc by requiring you to post your real name... I learnt back when the internet was still BBS's that having your real name- esp in a small town where you are the only one with that name- could lead people you were having an online disagreement with straight to your door IRL

With the widespread acceptance of things like facebook etc, it is extremely worrying for me the number of people I can easily find out every personal detail I need to find them IRL- in many cases with little more than simply reading their profiles and postings.... many people simply have no idea of how easy they are to find IRL from what they put online
 
Last edited:
Dabop said:
These are privately owned phones, so each individual owner is `the IT department' and they are likely to be fairly representative of how such phones are set up. My own is the most secure of the lot, and as I use a second `nonpersonal' yahoo account for forum signups and the like, my personal details are relatively safe lol

The thing that continues to amaze me is how little most people do actually think about online security, my email accounts NEVER contain my real name in them (I HATE IT dept that default to first name second name at company dot com). Same with this push to `stop internet trolls' on comments etc by requiring you to post your real name... I learnt back when the internet was still BBS's that having your real name- esp in a small town where you are the only one with that name- could lead people you were having an online disagreement with straight to your door IRL

With the widespread acceptance of things like facebook etc, it is extremely worrying for me the number of people I can easily find out every personal detail I need to find them IRL- in many cases with little more than simply reading their profiles and postings.... many people simply have no idea of how easy they are to find IRL from what they put online
Click to expand...
Company email addresses are used for business communication and with customers, a lot of whom would be aggravated by the lack of etiquette if they have to communicate with someone who uses "ElvenKing1066" as name.
 
Funnily enough, I have just made a new Dropbox account, because I got Scrivener for both the Mac and iOS, and it only does sharing via Dropbox right now.

I had an older Dropbox account that I never used. It's got a unique password (that I never used anywhere else, which I don't do anyway. All my accounts have different passwords). So unique that I don't remember. I guess I'm save with the breach, as they only learned one of my email addresses (and even that may be one I don't use anymore) and a password that's different from all my other passwords (most importantly, very different from the password used for the email account I used to set up Dropbox with).

RANT! They do have a series of actions disguised as an "Introduction to Dropbox". I didn't even noticed that they started this thing. Nevertheless, any time I start the Dropbox app, or log into their web page, I notifies me "Only 4 steps to reach Dropbox mastery!" or some such. Those steps include sharing a link and folder, sharing your contacts, and invite friends. In short, get to know your social environment.

I DO NOT WANT. I already know how to do all that if I needed to do that (or can easily figure out how). I don't want you to know my contacts. I don't want to share with others. I just want to share with myself, because I have this amazing app that unfortunately only works with you right now (they have good reason to)!

Except that I can't get rid of this notification. I did some googling, and it's been there since forever, and you cannot turn it off. They really really want to know.

And then they got hacked.

Wonderful. Awesome. Just peachy.

*********.
 
Last edited:
Senor_Pointy said:
Even if you don't care about your dropbox, the real danger is password reuse on accounts you might care about. The email/password combo you used to sign into dropbox is compromised, and that means any other accounts with the same combo are compromised as well. If you regularly use one password or email for your accounts, you should change all of them.
Click to expand...

That's why my email password is compelx and not reused, but all stupid forum and various login which are inconsequential ? password123.
 
I don't use dropbox, but it says vbulletin -- which is this web site among many others? Or is that literally the web site for the creators of the discussion software used here?
 
You must log in or register to reply here.

Back
Top Bottom