A week or so ago, you may have received an email from online cloud storage platform Dropbox, as the company forced password resets. Shortly after, you may also have seen media reports about the Dropbox hack: far bigger than previously thought, it’s another wake-up call in terms of cloud access and security. The thing is, the breach took place in 2012 and was reported by Dropbox at the time. The company had said that a number of users’ email addresses had been stolen. It now turns out that passwords were taken too, with some 68 million email addresses and passwords being leaked to the Internet. As the The Guardian newspaper reported, “The company had around 100 million customers at the time, meaning the data dump represents over two-thirds of its user accounts.”
The data dump was revealed by Motherboard, which “obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community... The data is legitimate, according to a senior Dropbox employee.” The news site added, “This is just the latest so-called ‘mega-breach’ to be revealed. This summer, hundreds of millions of records from sites such as LinkedIn, MySpace, Tumblr, and VK.com from years-old data breaches were sold and traded amongst hackers.”
At the time, Dropbox blamed the beach on an employee’s password being obtained, and apologised for this failure of internal security. But as the problem emerged as being far bigger, one cybersecurity strategist commented last week, “The biggest threat with employees using file sharing programs like Dropbox is that once an account is compromised, it can be used as an attack vector for delivering malicious links to a network... Companies need to arm their employees with secure alternatives to share large files that work at the enterprise level. If employees don’t have a better option, they end up using a variety of vendors and creating multiple accounts, none of which are being securely monitored.” Given the huge volumes of data now being stored in the cloud, on “data farms” like Dropbox, and the interdependencies of platforms, apps and cross-functional “as a Service” business solutions, along with mobile and BYOD consumer access, the risks are multiplying. As The Guardian added, “The hack highlights the need for tight security, both at the user end – the use of strong passwords, two-step authentication and no reuse of passwords – and for the companies storing user data. Even with solid encryption practices for securing users’ passwords, Dropbox fell foul of password reuse and entry into its company network.”