Date: Tue, 21 Jun 2011 11:08:13 -0400 From: Forensication To: support@dropbox.com Subject: Re: Important Dropbox Security Update - Please Read Dear DropBox, Thank you so much for the email notifying me of your horrible lapse of security this past Sunday. Although I have been cautious about what data I have kept available in your online storage, I have some points of concern that I think a few other people may share: * Although your disclosure email indicates that I was logged into the Dropbox website at the time, your event logs on the website that you advised I check do not show this activity. In fact, it shows no activity at all for the day in question. Any explanations? * In general, your activity logs are lacking in critical details. There is no record of when a user logs in, where (IP) they connected from, when or if they logged out. Having this data on hand would help in assessing if there is a need to be concerned about improper access. * There is no record of what files were viewed / downloaded via the web interface. If someone were to have accessed an important file with potentially sensitive data, there is no way to tell. * Your authentication failure notice only makes mention of the web interface. What about other devices? Could someone have added my account to their device and automatically downloaded everything? Being that this issue affected a "small number of users" as you put it, it should be a small effort and a great gesture on your part to provide all affected users with detailed logs of any and all activity that took place on their accounts at the time of the authentication failure. With a disturbing number of breach disclosures turning up in the news day after day, there is no such thing as too much information. I hope you will do the responsible thing and fully disclose everything you know to all of the affected parties so that each affected individual can make an informed decision about what actions to take in the future. Regards, -J