> It turns out a Dropbox employee’s account was hacked, allowing access to user e-mail addresses.
This is misleading.
> Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter.
Unrelated how? What I read was: "Our investigation found that usernames and passwords recently stolen from other websites... A stolen password was also used to access an employee Dropbox account"
This article dangerously leaves the impression that an intrusion was made into Dropbox's system to access the employee's account, and possibly an admin interface. In reality Dropbox let a spammer with a valid email and password look at someone's files.
An employee account was compromised and privileged information (in this case user email addresses) was accessed. The attacker exploited a flaw in dropbox's password policy / authentication system to access the information. Dropbox is modifying their systems and policies to prevent this sort of attack in the future.
All that together certainly adds up to an intrusion and is well within the definition of a "hack".
Using a key to open a door that was designed to be opened with that key is not a flaw in the lock mechanism. The fact that the user set that key to also open something else is not the fault of the former lock.
This is not at all how security researchers think of it. Security vulnerabilities are very broad, they can be exploited through social engineering, through incompetent employees who do not have rigorous password standards, etc. If you narrow security vulnerabilities to coding mistakes, you're neglecting your customers.
No, a hack means that any malicious attacker (you, me, your mom, etc) could exploit ("hack") a flaw in their system security in order to gain access. This is not the case here.
This is misleading.
> Some Dropbox customer accounts were hacked too, but this was apparently an unrelated matter.
Unrelated how? What I read was: "Our investigation found that usernames and passwords recently stolen from other websites... A stolen password was also used to access an employee Dropbox account"
This article dangerously leaves the impression that an intrusion was made into Dropbox's system to access the employee's account, and possibly an admin interface. In reality Dropbox let a spammer with a valid email and password look at someone's files.