Dropbox urged to reset all its users' passwords in wake of breach
Security experts claim file sharing site's post-breach guidance could leave users exposed to further attacks.
Dropbox has come under fire from a slew of IT security experts for the advice it has given users in the wake of this week's password breach.
As reported by IT Pro yesterday, the online file sharing service confirmed this week that some users' passwords had been stolen and used to access their accounts.
The bottom line is, when you have a breach, always assume the worst case scenario.
The affected users were then bombarded with spam, which was sent to the email addresses they had used to set up their Dropbox account.
Dropbox claims the passwords were obtained by hackers that had compromised other sites, which suggests they preyed on people who use the same login details across multiple sites.
The firm has since advised affected users to change their passwords, but Rob Sobers, technical manager at security vendor Varonis, said the company should reset all users' details as a matter of course.
"[Dropbox] are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached yet," he asked.
Citing the recent LinkedIn data breach, which resulted in 6.5 million of the site's users having their passwords published on a Russian web forum, Sobers said sites should be wary of taking the data hackers publish at face value.
For instance, just because a hacker publishes millions of passwords, that does not mean that's all the data they have.
"The bottom line is, when you have a breach, always assume the worst case scenario," said Sobers.
"Dropbox may be risking another breach from the same attack by [not] forcing a [widescale] password reset. That's a really curious decision.
"Needless to say, if you're a Dropbox user, go reset your password," he concluded.
Meanwhile, Grant Taylor, vice president for Europe at security vendor Cryptzone, said the Dropbox breach is proof that companies should not be storing corporate data on its servers.
"We would go further and argue that people should not be using Dropbox for many business purposes," said Talyor.
"Free services, by their very nature, don't have the features to facilitate corporate control and management."
The case for a marketing content hub
Transform your digital marketing to deliver customer expectationsDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now
IT faces new security challenges in the wake of COVID-19
Beat the crisis by learning how to secure your networkDownload now