[psook]

Right, but you're assuming optimal response from every Dropbox user, when I'd assume the vast majority of Dropbox users aren't aware of best password practices (or are aware and only change passwords when forced anyway because 'I have nothing to hide'). The severity of the breach means Dropbox should be forcing password changes. I didn't even receive an e-mail notifying of the breach. Nothing in the spam filters, it's just not there. The only reason I'm aware of it is Troy Hunt, and the only reason I'd ever be aware of it is that. I was getting ready to leave dropbox anyway, this just reasserted that it's the correct decision.

[nxzero]

Honestly, I've found security bugs in Dropbox using it (oddly) as designed in the past and would never use it again; basically, as a non admin I could become an admin in a business account; reported the issue, had a call with them and it appeared they fixed it, but still it was a wtf moment for me given if you're an admin you are able to permanently delete all the data and according to Dropbox the data would not be recoverable regardless of the time frame.

As for the average user, to be honest at the point I increaslying feel like people are responsible for their own security and if you that concerned a service won't notify you of a breach or make a mistake that to you is unforgivable — don't use them. Reason I take this position now is because increased you feel like all the hand holding related to security is dangerous long-term.

[psook]

I agree that, ultimately, the only person who really cares about your security is you. That is certainly where the buck stops, and if a service has security you don't agree with stop doing business with them.

However, a forced password and session reset on accounts whose credentials have become public knowledge isn't "hand holding." It's SysAdmin101. It should be the first thing you do. Unless I'm misreading you, the stated stance is "Anyone using dropbox got what they deserved," but not everyone has the knowledge to perform a security audit. The user is not without blame or having made mistakes, but Dropbox isn't taking ownership of their own mistakes or being transparent to every affected user about what those mistakes were and/or led to. If they want to be a service that does hand-holding, they can give the correct advice. If they don't, they NEED to be transparent about what occurred and what information was released or the onus is entirely on them. Right now, they're doing neither. I think that is criminally negligent, though I'm certain no legal action will be taken.

I feel that lowering those expectations of a service only helps justify these shitty, lazy practices to others.

The only thing that would've been exposed in the breach relating to me are the e-mail address and password for that service itself (alongside all the crappy memes I stored there), but I'm not ready to watch the world burn from the sidelines. The security of others is just as much your personal security, and the more of it others sacrifice the more you'll be expected to do the same and suffer repercussions for not doing so.