Another day, another data breach – this time Dropbox, popular cloud storage behemoth, announced that over 68 Million user email addresses and passwords were dumped on the Internet. What’s interesting is that the information is from a previous attack in 2012 at which time Dropbox reported that only email addresses had been stolen. Whether they did not know the passwords had been compromised or just didn’t disclose remains to be seen.
The data breach experienced by Dropbox is connected to two previous attacks, one on their own site in 2012 and another on LinkedIn that was spoken about at length on this site. As mentioned previously, the 2012 attack was thought to have only contained email addresses – instead, this most recent attack shows that not only did it include stolen passwords, but that trove of information was the release that occurred this week. Now, the way that the attackers were able to get in is rather interesting. It didn’t involve a unique cyber attack, physical connection or anything of the sort. The only thing they needed was an employee’s password, which was the same they happened to use at Dropbox and LinkedIn. Remember the data breach that occurred at LinkedIn receently? Exactly – they were able to use the same password, enter the site under the employee’s information and take whatever they wanted at their leisure within the user database.
So, how is Dropbox handling the situation? Beside urging users to change passwords if they haven’t done so (use these stories as incentive), Dropbox is taking steps to ensure that a future data breach is less likely to occur. The company’s security standing was, and is, strong – passwords were encrypted and they were in the process of upgrading the encryption from SHA1 to a stronger standard called bcrypt. This data breach just goes to show that even the stronger of the technology companies are sensitive to cyber attacks. Stronger protection on the user and business end is key – that includes strong, unique passwords, and multi-factor authentication; unfortunately Dropbox failed to heed the everyman’s warning that passwords should never be reused.