back to article Dropbox dropped the ball on security, haemorrhaging customer and third-party info

Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities. The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless …

  1. Pascal Monett Silver badge
    WTF?

    "no evidence that the attacker accessed the contents of users' accounts"

    Well, if the attackers got hold of the OAuth tokens and MFA passwords, how would you know ?

    1. Doctor Syntax Silver badge

      Re: "no evidence that the attacker accessed the contents of users' accounts"

      And absence of evidence is not evidence of absence.

  2. Sora2566 Bronze badge

    I don't suppose anyone knows if people who use Dropbox Sign's API need to do anything?

    1. Yorick Hunt Silver badge
      1. Sora2566 Bronze badge

        As it turned out, the answer was "rotate our API key, because Dropbox had restricted our existing one".

  3. Anonymous Coward
    Anonymous Coward

    Dropbox are still blocked from the email platforms of a couple of clients who got breached by phishing emails from Dropbox.

    The Dropbox abuse team did not respond to any of our reports to the abuse team + CEO or take any action about the phishing pages hosted there.

    1. 0laf Silver badge

      Dropbox (and other fileshare services) have long been known to hold malicious code.

      They should be avoided but unfortunately much like shitty messenger apps their widespread use means many organisations need to allow some access.

      The mistake is allowing that access to be widespread to keep some managers happy or to let the CEO share his holiday snaps easily.

  4. sitta_europea Silver badge

    They bought this business in 2019, so they've had five years to get the security right.

    And they *still* fucked it up.

    Makes me really glad I always said I'd never touch it, even with a ten metre pole.

    It beats me why anybody bothers with any of this crap. You might just as well buy yourself a barrel and bend over it.

  5. perkele

    Boggle.

    If Dropbox focussed on doing its core mission, well, without jacking up prices and adding in shit many don't want, it might still be a not bad thing.

    But enshittification of all sorts must continue.

    1. robinsonb5

      Indeed. I stopped using it for actual file sync some years ago, when first the Android app wouldn't run any more on my (old, but better at making phone calls than my newer) phone.

      I still used the shared folders facility from time to time, because they worked just the way I wanted them to and were relatively friction free for the end-user too. I could upload a bunch of photos into a shared folder, send a link to the recipient and they could painlessly browse them, view them and download any they wanted to keep - either finely-grained or en masse. That was incredibly valuable since the recipient didn't need to be a collaborator (and thus have the storage deducted from their own quota) - or even logged in.

      They've recently employed every dark pattern in the book to make it next-to-impossible to use that way, without technically withdrawing the facility - so I won't be using it any more.

      Anyone know of a non-shitty alternative, or am I going back to WeTransferring .zip files?

  6. wolfetone Silver badge

    We use this at work, and a few users (although not all, including me) have received the grovelling email apology. But I've been asked for an alternative.

    So, what can I use (other than pen and paper) that isn't this piece of shit?

    1. Doctor Syntax Silver badge

      Use NextCloud. There are quite a few managed hosting providers if you don't want to run it in-house.

      1. Michael Wojcik Silver badge

        Out of curiosity, is there any actual evidence that NextCloud's signing platform is more secure than, say, DocuSign's? I don't work in this area so I don't follow public breach reports of those services closely.

        1. pc-fluesterer.info

          FOSS

          Nextcloud is FOSS, so a secret backdoor would not for long run undetected.

  7. heyrick Silver badge

    a "service account" used by non-humans

    Shouldn't this sort of thing run on the server behind closed doors, and certainly without a public facing (and seemingly unwatched) account?

  8. Martin-73 Silver badge
    Mushroom

    They haemorrhaged me when they appointed a war criminal to their board of directors

    Nice concept, but no.

    1. spacecadet66 Bronze badge

      Re: They haemorrhaged me when they appointed a war criminal to their board of directors

      You're going to have to be more specific. Henry Kissinger, for instance, was on lots of boards.

      1. Tom Chiverton 1 Silver badge

        Re: They haemorrhaged me when they appointed a war criminal to their board of directors

        https://www.theguardian.com/technology/2014/apr/11/dropbox-condoleezza-rice-privacy-surveillance

  9. navarac Silver badge

    Well

    The time is coming very soon, when I feel that I need to store stuff off of Cloud services. I can secure my stuff myself, but why should I trust 3rd parties? But then, I'm only a private individual! Easy for me to say and do.

  10. Z P

    Eh I'm not surprised these compromises are becoming more common

    As these services become more popular, combined with both reduced personnel, lack of skill of existing personnel either due to attrition, or otherwise, it's fast reaching a tipping point (or you could reasonably argue that we have gone over the end...)

    Heck, based on some comments I see (not just here - on various other social media cesspools), I worry about the future with the available quality of employees and their motivations.

    It seems the heady days of Postel et all are long gone.

    The only good news take away I have is hope - that hasn't been replaced by complete despair, yet...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like