In-depth

Dropbox didn't drop the ball, users did

Davey Winder lets rip over the tendency to blame vendors, rather than users, for some data breaches

Password and username box

I'm starting to get more than a tad fed up with headlines proclaiming that a high profile service has been hacked, and the copy writers then rushing to the conclusion that users would be better off jumping ship.

The latest victim of this knee-jerk-style reporting was Dropbox after it was accused, and largely found guilty without any hint of a fair trial, of allowing hackers to make off with nearly 7 million user logins.

Advertisement - Article continues below

Here are just some of the headlines that emerged as a result that all suggested Dropbox had dropped the security ball: 'Nearly 7 Million Dropbox Passwords Have Been Hacked', 'Hackers hold 7 million Dropbox passwords ransom', 'Hundreds of Dropbox Accounts Hacked, Millions More in Danger.' Sorry to burst this hyperbole bubble, but Dropbox didn't drop the ball. Users did.

Read most of the news reports proclaiming the service was hacked and you will quickly find, often in the second paragraph, that Dropbox had denied any hacking took place while admitting some active account logins were amongst the published 'stolen passwords' databases.

Go to the official Dropbox blog and you will find that Anton Mityagin, a security engineer at the cloud storage giant, clearly states the usernames and passwords were "stolen from unrelated services, not Dropbox" and then used to try and access Dropbox accounts amongst others.

Advertisement
Advertisement - Article continues below

As IT Pro reported at the time, the vast majority of the passwords posted had been expired for some time and those which were active reset "a number of months ago."

Advertisement - Article continues below

When the money-motivated hacker (assumed as the publication of the 'stolen' database is accompanied by a Bitcoin donation request to reveal more) actually did disclose more details it turned out that none of them were actually associated with Dropbox accounts.

This tactic is an increasingly common one being employed by those who see the potential to earn some easy money or easy kudos within the more gullible corners of the dark web community.

The fact remains though that blaming Dropbox for the security faux-pa's of users who reuse their logins across multiple sites is, don't you think, a bit rich? I'm not saying Dropbox are security gods by any means, and there is plenty of controversy surrounding both current privacy issues and previous alleged compromises if you care to Go Google. What I am saying is in this particular case, like so many others, the responsibility buck stops with the user.

Advertisement - Article continues below

Dropbox's Mityagin hits the nail firmly on the head when he says Dropbox recommends enabling two-step account verification for an added layer of security.

I have been hammering away at users with their heads buried firmly in the insecurity sand with the same message for longer than I care to remember, but - for the record - I started my banging on well before the main players started to introduce the 2FA option.

And don't think that none of this concerns you as an enterprise reader, with rock solid password management and multi-factor authentication systems in place within the constraints of a firm security posture.

With so many employees using services such as Dropbox as a handy medium-in-middle transport mechanism for data to be worked on away from the office on personal devices, despite your best intentions to stop this, it is.

You need to start complementing your big stick approach (of identifying users with personal Dropbox accounts installed on their systems and forcing them to remove it) and employing the carrot of education to staff, advising them best how to shore up such services with 2FA and the no reuse of passwords.

Advertisement - Article continues below

Frame it how you like. Say it's free advice for their personal data usage if you want or that you are just being ultra-cautious in case security policy is overlooked on occasion. It matters not, but bite the bullet and make sure everyone in your employ understands the importance of the issue and how easy it can be to sidestep some of the risk.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020