From the “like seriously??” department comes news that Dropbox may be sending your data to Open AI:
On Wednesday, news quickly spread on social media about a new enabled-by-default Dropbox setting that shares your Dropbox data with OpenAI for an experimental AI-powered search feature. Dropbox says that user data shared with third-party AI partners isn’t used to train AI models and is deleted within 30 days.
Even with assurances of data privacy laid out by Dropbox on an AI privacy FAQ page, the discovery that the setting had been enabled by default upset some Dropbox users. The setting was first noticed by writer Winifred Burton, who shared information about the Third-party AI setting through Bluesky on Tuesday, and frequent AI critic Karla Ortiz shared more information about it on X.
Ortiz expressed worries that the data might be trained secretly without consent. In its FAQ, Dropbox contradicts this claim, saying, “We won’t let our third-party partners train their models on our user data without consent.”
Either way, communication about the change could have been clearer. AI researcher Simon Willison wrote, “Great example here of how careful companies need to be in clearly communicating what’s going on with AI access to personal data.”
Yikes! That’s really bad. Now Dropbox has not provided a comment beyond the FAQ above. Thus I will be interested to see what they say and how they handle this. But if this bothers you, and it should, then here’s how you opt out of this:
Disabling the feature is easy if you prefer not to share Dropbox data with OpenAI. Log into your Dropbox account on a desktop web browser, then click your profile photo > Settings > Third-party AI. This link may take you to that page more quickly. On that page, click the switch beside “Use artificial intelligence (AI) from third-party partners so you can work faster in Dropbox” to toggle it into the “Off” position.
Dropbox better have a good reason for this because right now, this is sketchy AF as the kids say.
Dropbox Sign Has Been Pwned…. And It’s Not Good If You’re A User Of This Service
Posted in Commentary with tags Dropbox, Hacked on May 3, 2024 by itnerdIf you pay a visit to this link, you’ll see that Cloud storage firm Dropbox has disclosed that hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information:
On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
For those who received or signed a document through Dropbox Sign, but never created an account, email addresses and names were also exposed. Additionally, if you created a Dropbox Sign or HelloSign account, but did not set up a password with us (e.g. “Sign up with Google”), no password was stored or exposed. We’ve found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information.
From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.
Well, that’s pretty bad. But at least they admitted to it rather than kicking that can down the road for as long as they could get away with doing so. Melvin Lammerts, Hacking Lead, Hadrian had this to say:
“Dropbox was upfront about their security breach, which is good. The fact that hackers gained access through a backend service account is worrisome. The leaked customer information could lead to possible account takeovers, highlighting the importance of robust security measures for backend service accounts and effective methods for detecting unusual activity. This incident demonstrates why companies need to be constantly testing their security in all systems, including those not (fully) publicly accessible.”
Ted Miracco, CEO, Approov Mobile Security:
“Considering this is the second breach in two years, a comprehensive security review of Dropbox’s entire ecosystem is advisable. This review should be conducted with external cybersecurity experts to ensure impartiality and a fresh perspective on security challenges. Dropbox has already taken some crucial initial steps such as resetting users’ passwords, logging users out of devices, and rotating API keys and OAuth tokens. These actions are essential to securing accounts and preventing further unauthorized access.”
If you use Dropbox Sign, you might want to put your head on a swivel for the next little while as I am certain that secondary attacks are coming. As for Dropbox, the fact that they put this out there is good. But they will have a lot of questions that they need to answer in the coming days and weeks, along with reassuring their customers that this won’t happen again because they’ve taken all required steps to secure customer data.
Leave a comment »