Dropbox hacked. [old but relevant] (1 Viewer)

[Gromett]

With all the major services that have been hacked over recent times I did miss the notifications that dropbox had been hacked.

Just a bit of information up front. When I sign up to a service I use a fresh email address each time. So for instance when I signed up to dropbox I used something like dropbox@mydomain.com

So if I get a spam, I can look at which address it was sent to and see immediately which company has either been hacked, shared/sold my details or otherwise allowed my personal data to escape.

Anyway, back to dropbox. I just got a spam in my mailbox, looked at the To: field and it was my dropbox login email address. I did a quick search and it appears they got hacked along with a lot of other companies back in 2012. 2012 was a busy year for hackers. Anyway, I have just gone in and done a preventative password change and changed my login email address. The old email address is now invalid and my mailserver will bounce any emails sent to it.

I am posting this for those who have a dropbox account so you can reset your password as it appears that a new team has got hold of the data dump and is starting to make use of it. The hack only came to light in August 2016 4 years later. If you signed up for dropbox prior to the 2012 and haven't reset your password since it might be an idea to do this now. I am not sure but I suspect dropbox will have forced this at the time but I can't remember to be honest.

 

[Gromett]

PS: tracked down the date to 26 August 2016.

http://www.theregister.co.uk/2016/08/26/dropbox_demanding_old_users_reset_their_passwords/

 

[Jim]

Just changed it anyway.

^{_{Subscribers  do not see these advertisements}}

 

[WSandME]

I've used the same tactic of newservice@mydomain for years, but I now wonder why - almost every service has provided a leak :~(
Of course, some of these may be a "generated" address at mydomain, where the spammers add common names such as facebook, twitter, ebay, dropbox, &c. to each domain they're spamming. I get many which are random numbers or strings @ mydomain.

At first I was winning, but now, after many years, I have so many service addresses that my service provider doesn't offer sufficient discrete mailboxes (in my price range) to allow the spammed ones to go straight to Null. In any case even the spammed ones may still have occasional valid messages from the legitimate originator.

Sorry, I'm rambling... It's late and I have a cold :~(

 

[Gromett]

I've used the same tactic of newservice@mydomain for years, but I now wonder why - almost every service has provided a leak :~(
Of course, some of these may be a "generated" address at mydomain, where the spammers add common names such as facebook, twitter, ebay, dropbox, &c. to each domain they're spamming. I get many which are random numbers or strings @ mydomain.

At first I was winning, but now, after many years, I have so many service addresses that my service provider doesn't offer sufficient discrete mailboxes (in my price range) to allow the spammed ones to go straight to Null. In any case even the spammed ones may still have occasional valid messages from the legitimate originator.

Sorry, I'm rambling... It's late and I have a cold :~(

I don't do a separate mailbox for each one. I add an alias to a single mailbox. This is not a catchall mailbox either. Basically I create a default mailbox. Which only accepts email to that one address and REJECTS at the first opportunity any attempts to send emails to anything else. I then add aliases to this mailbox. It sounds like you are using a catchall where by anything@yourdomain.com gets delivered? Catchalls are the enemy of anti-spam measure as you then always accept all emails and have to filter after.

Anyway I periodically I go through and prune this alias list to keep it manageable. I currently have less than 50 aliases in my list.

I don't use dropbox@mydomain.com I always add a 3 digit number either before or after the username part to prevent it being guessed. The third digit starts at 0 and goes up so I can track how many times I have had to change it with a specific operator. This might sound like a lot of hassle but once you have it set up it is extremely easy to manage.

As for valid messages from legitimate operators, because each operator has their own unique email address and I update it with them if I change it. Then they have no problems contacting me

I have used this system for 15 years now and it has been proven to be the most effective anti spam measure I have.

 

[WSandME]

Gromett, Thanks for your ideas. Do you mind if I grill you a bit more, as I'm not sure I fully understand?

My account allows me to create 50 mailboxes, 50 email forwarders, 50 group addresses.

I currently have mailboxes set up for Me, the Mrs and "suspect". I have just abandoned the "catchall > suspect" which I tried for a few weeks as I end up with valid emails hidden in all the dross so I was no better off.

At a rough guess, I have approximately 100 service accounts using my domain (although I could probably cull 20% of them). I probably add a couple a month.

How would / could your scheme fit into those constraints?

I thought about your tactic of prefixing the service name - if I altered all my current servicename@domain to (Fixed Obscure Prefix)(Sequence No.)(Servicename)@domain
I could effectively vet all valid incoming from servicenames if I could parse the destination address and accept anything commencing with (Fixed Obscure Prefix) and reject anything else.

Of course, as far as I can see, my provider doesn't offer the facility to parse the incoming address field. Neither can I see an option of buying more forwarders. I will ask them what is possible.

Thanks again.

^{_{Subscribers  do not see these advertisements}}