In 2012, Dropbox admitted that its service had been hacked and, in turn, added more security features to protect its users. The hack was discovered after a flood of spam mail was sent to users, as confirmed by Dropbox. The hacker was able to do this by obtaining an internal document with the email addresses of Dropbox users. Based on this information, Dropbox noted that the hack was perpetrated by an internal employee. According to Aditya Agrwai, Dropbox's Vice President of Engineering, an investigation determined that usernames and passwords stolen from other websites were used to access Dropbox accounts. Following the discovery of the security breach, Dropbox contacted the affected users and assisted them with protecting their accounts.
The investigation into the spam influx began following user reports of spam attacks against email addresses used for Dropbox services only. However, it was found that many of the spam attacks were traced to a password-reuse problem within Dropbox. As such, per Dropbox, a stolen password was used for accessing an employee account containing a project document that had user email addresses.
Dropbox took multiple steps to determine what caused the breach. In this case, according to Dropbox, improper access was the culprit leading to the spam influx. To its users, Dropbox offered its most sincere apologies and have outlined procedures already being implemented for additional controls to help ensure that this type of breach cannot occur again in the future. These procedures involve the inclusion of a page to allow users the opportunity to review login history related to their account, enhanced mechanisms for the identification of suspicious activity, and the inclusion of two-factor authentication.
While these tools and explanations are important and did much towards restoring user confidence in Dropbox, are they sufficient and did they go far enough? For example, there are some concerning elements related to the Dropbox breach, such as how it was announced, how it occurred, and how it was handled. First, live customer information was being used in a project document by a Dropbox engineer. The Director of Security Research and Communication at Trend Micro questioned the reasons for using live customer data in a project document and why dummy data was not used instead. Moreover, according to Trend Micro, the document appeared to be accessible because the Dropbox employee reused their corporate password on compromised websites. While it was not specific to which services were being referred, it still begs the question of "Why would you reuse your corporate password for personal use?" Trend Micro criticized the use of email by Dropbox to inform affected users of possible compromise and the inclusion of password reset links in the emails. Part of the issue behind this action was that the breach was not publicized prior to the sending of the email. This meant that the genuine email by Dropbox was virtually indistinguishable from spam and phishing attacks that happen daily to most email users. This practice of not announcing the breach prior to contacting users was in direct defiance of years of existing advice given, where users are warned to not click links in unsolicited emails. This is especially true for those emails that urge users to visit a website and enter credentials. These concerns led to questions regarding what Dropbox could have done better in response to the breach. Trend Micro argued that a better course of action would have been to direct users to the corporate homepage and follow instructions posted there, as opposed to sending a password reset link in an unsolicited email.
The Dropbox breach illustrated the prevalence of security challenges related to password reuse. While it may make it easier for users, it leads to increased risk of data theft and, ultimately, identity theft. The threat of password reuse is increased when used across compromised websites. Here is how it works.... First, the attacker breaches a well-known and recognized website, such as LinkedIn. Next, once the site is breached, the attacker steals usernames (or email addresses if those are used in place of usernames) and passwords. With this information, the attacker tries to log into other services and, if successful, harvest personal data, including contact lists. Sometimes, the attacker uses the account that has been compromised to send spam mail or run another scam, such as requesting urgent financial assistance from family/friends. Frequently, until the user notices something amiss or is contacted -- there is no indication of the breach.
There is good news though. Password reuse attacks can be stopped fairly easily and with one significant step -- by stopping the practice of reusing passwords. On the other hand, a survey of 250 people by mSeven Software, 76% of the participants rely on their memory to keep track of passwords, as opposed to writing them down, entering them into a document on their computer, or using a password manager. Moreover, about 48% of the participants said they maintain four or fewer passwords for any websites, despite about 75% of the participants stating that they regularly access at least 10 sites requiring passwords.
Essentially, it was found from the aforementioned study that most people simply do not bother with varying passwords across websites. This means that breaches due to password reuse is high because once one of those sites is compromised, others are as well because the same password can be used to unlock the individual's account on other websites. A senior technology consultant at Sophos noted that the incident with Dropbox underlined the need for different passwords for all websites. This is particularly true as people have more confidential information online, which gives hackers more incentives to penetrate accounts. As these data breaches occur more frequently and become more severe, it becomes clearer than ever that it is necessary to engage in due diligence in protecting oneself online. At the same time, it must be remembered that no cloud service is completely safe -- they can all be penetrated. However, if sensitive data is entrusted to Dropbox, or any other cloud service, it should be encrypted so that it will not make sense to others.
Protect yourself. Use new passwords and change them regularly.