Heard back from Dropbox today. As promised, I'm posting their reply. If you missed my original email to them it's online at http://jjjjj.us/92 ================================================================================ Date: Wed, 22 Jun 2011 17:49:33 +0000 From: Ryan M - Dropbox Support To: Forensication Subject: [Dropbox Support] Re: Re: Important Dropbox Security Update - Please Read Hi J, We're sorry for this situation and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates through our blog post linked here: http://blog.dropbox.com/?p=821. Our records show that the following IP address was logged during the time period: XX.XXX.X.XXX This IP address has since not logged into your account and I can also confirm that no hosts were linked to your account nor was your password compromised. If there is anything further I can do to assist, please be sure to let me know. Regards, Ryan ================================================================================ Although I was glad to see that the IP listed was one of my own and that machine did briefly connect to their systems during that time period, I fail to see how they can confirm that my password was not compromised - they really can't prove or disprove that to be the case, can they? . Additionally, they failed to answer the really important question: Were any files downloaded via the web interface. I have since moved almost everything out of Dropbox's systems, have hit the 'permanently delete' button on the files and am now using rsync+ssh+key on my own servers to do what Dropbox was doing before. In light of the paper released by sba-research (PDF at http://jjjjj.us/96) highlighting the swiss-cheese-security of cloud-based storage, I'd say I made the right decision.