In-depth

Dropbox didn't drop the ball, users did

Davey Winder lets rip over the tendency to blame vendors, rather than users, for some data breaches

Password and username box

I'm starting to get more than a tad fed up with headlines proclaiming that a high profile service has been hacked, and the copy writers then rushing to the conclusion that users would be better off jumping ship.

The latest victim of this knee-jerk-style reporting was Dropbox after it was accused, and largely found guilty without any hint of a fair trial, of allowing hackers to make off with nearly 7 million user logins.

Advertisement - Article continues below

Here are just some of the headlines that emerged as a result that all suggested Dropbox had dropped the security ball: 'Nearly 7 Million Dropbox Passwords Have Been Hacked', 'Hackers hold 7 million Dropbox passwords ransom', 'Hundreds of Dropbox Accounts Hacked, Millions More in Danger.' Sorry to burst this hyperbole bubble, but Dropbox didn't drop the ball. Users did.

Read most of the news reports proclaiming the service was hacked and you will quickly find, often in the second paragraph, that Dropbox had denied any hacking took place while admitting some active account logins were amongst the published 'stolen passwords' databases.

Go to the official Dropbox blog and you will find that Anton Mityagin, a security engineer at the cloud storage giant, clearly states the usernames and passwords were "stolen from unrelated services, not Dropbox" and then used to try and access Dropbox accounts amongst others.

Advertisement
Advertisement - Article continues below

As IT Pro reported at the time, the vast majority of the passwords posted had been expired for some time and those which were active reset "a number of months ago."

Advertisement - Article continues below

When the money-motivated hacker (assumed as the publication of the 'stolen' database is accompanied by a Bitcoin donation request to reveal more) actually did disclose more details it turned out that none of them were actually associated with Dropbox accounts.

This tactic is an increasingly common one being employed by those who see the potential to earn some easy money or easy kudos within the more gullible corners of the dark web community.

The fact remains though that blaming Dropbox for the security faux-pa's of users who reuse their logins across multiple sites is, don't you think, a bit rich? I'm not saying Dropbox are security gods by any means, and there is plenty of controversy surrounding both current privacy issues and previous alleged compromises if you care to Go Google. What I am saying is in this particular case, like so many others, the responsibility buck stops with the user.

Advertisement - Article continues below

Dropbox's Mityagin hits the nail firmly on the head when he says Dropbox recommends enabling two-step account verification for an added layer of security.

I have been hammering away at users with their heads buried firmly in the insecurity sand with the same message for longer than I care to remember, but - for the record - I started my banging on well before the main players started to introduce the 2FA option.

And don't think that none of this concerns you as an enterprise reader, with rock solid password management and multi-factor authentication systems in place within the constraints of a firm security posture.

With so many employees using services such as Dropbox as a handy medium-in-middle transport mechanism for data to be worked on away from the office on personal devices, despite your best intentions to stop this, it is.

You need to start complementing your big stick approach (of identifying users with personal Dropbox accounts installed on their systems and forcing them to remove it) and employing the carrot of education to staff, advising them best how to shore up such services with 2FA and the no reuse of passwords.

Advertisement - Article continues below

Frame it how you like. Say it's free advice for their personal data usage if you want or that you are just being ultra-cautious in case security policy is overlooked on occasion. It matters not, but bite the bullet and make sure everyone in your employ understands the importance of the issue and how easy it can be to sidestep some of the risk.

Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355210/cyber-criminals-torn-over-how-to-adapt-to-post-coronavirus-threat
cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020

Most Popular

Visit/security/cyber-security/355200/spacex-bans-the-use-of-zoom
cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020