Dropbox urged to reset all its users' passwords in wake of breach

Security experts claim file sharing site's post-breach guidance could leave users exposed to further attacks.

Password login page

Dropbox has come under fire from a slew of IT security experts for the advice it has given users in the wake of this week's password breach.

As reported by IT Pro yesterday, the online file sharing service confirmed this week that some users' passwords had been stolen and used to access their accounts.

Advertisement - Article continues below

The bottom line is, when you have a breach, always assume the worst case scenario.

The affected users were then bombarded with spam, which was sent to the email addresses they had used to set up their Dropbox account.

Dropbox claims the passwords were obtained by hackers that had compromised other sites, which suggests they preyed on people who use the same login details across multiple sites.

The firm has since advised affected users to change their passwords, but Rob Sobers, technical manager at security vendor Varonis, said the company should reset all users' details as a matter of course.

"[Dropbox] are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached yet," he asked.

Citing the recent LinkedIn data breach, which resulted in 6.5 million of the site's users having their passwords published on a Russian web forum, Sobers said sites should be wary of taking the data hackers publish at face value.

Advertisement - Article continues below
Advertisement - Article continues below

For instance, just because a hacker publishes millions of passwords, that does not mean that's all the data they have.

"The bottom line is, when you have a breach, always assume the worst case scenario," said Sobers.

"Dropbox may be risking another breach from the same attack by [not] forcing a [widescale] password reset. That's a really curious decision.

"Needless to say, if you're a Dropbox user, go reset your password," he concluded.

Meanwhile, Grant Taylor, vice president for Europe at security vendor Cryptzone, said the Dropbox breach is proof that companies should not be storing corporate data on its servers.

"We would go further and argue that people should not be using Dropbox for many business purposes," said Talyor.

"Free services, by their very nature, don't have the features to facilitate corporate control and management."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020

ZLoader malware returns as a coronavirus phishing scam

27 May 2020

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020

Scammers leverage contact-tracing in hacking attempt

27 May 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020