In-depth

Dropbox didn't drop the ball, users did

Davey Winder lets rip over the tendency to blame vendors, rather than users, for some data breaches

Password and username box

I'm starting to get more than a tad fed up with headlines proclaiming that a high profile service has been hacked, and the copy writers then rushing to the conclusion that users would be better off jumping ship.

The latest victim of this knee-jerk-style reporting was Dropbox after it was accused, and largely found guilty without any hint of a fair trial, of allowing hackers to make off with nearly 7 million user logins.

Here are just some of the headlines that emerged as a result that all suggested Dropbox had dropped the security ball: 'Nearly 7 Million Dropbox Passwords Have Been Hacked', 'Hackers hold 7 million Dropbox passwords ransom', 'Hundreds of Dropbox Accounts Hacked, Millions More in Danger.' Sorry to burst this hyperbole bubble, but Dropbox didn't drop the ball. Users did.

Read most of the news reports proclaiming the service was hacked and you will quickly find, often in the second paragraph, that Dropbox had denied any hacking took place while admitting some active account logins were amongst the published 'stolen passwords' databases.

Go to the official Dropbox blog and you will find that Anton Mityagin, a security engineer at the cloud storage giant, clearly states the usernames and passwords were "stolen from unrelated services, not Dropbox" and then used to try and access Dropbox accounts amongst others.

As IT Pro reported at the time, the vast majority of the passwords posted had been expired for some time and those which were active reset "a number of months ago."

When the money-motivated hacker (assumed as the publication of the 'stolen' database is accompanied by a Bitcoin donation request to reveal more) actually did disclose more details it turned out that none of them were actually associated with Dropbox accounts.

This tactic is an increasingly common one being employed by those who see the potential to earn some easy money or easy kudos within the more gullible corners of the dark web community.

The fact remains though that blaming Dropbox for the security faux-pa's of users who reuse their logins across multiple sites is, don't you think, a bit rich? I'm not saying Dropbox are security gods by any means, and there is plenty of controversy surrounding both current privacy issues and previous alleged compromises if you care to Go Google. What I am saying is in this particular case, like so many others, the responsibility buck stops with the user.

Dropbox's Mityagin hits the nail firmly on the head when he says Dropbox recommends enabling two-step account verification for an added layer of security.

I have been hammering away at users with their heads buried firmly in the insecurity sand with the same message for longer than I care to remember, but - for the record - I started my banging on well before the main players started to introduce the 2FA option.

And don't think that none of this concerns you as an enterprise reader, with rock solid password management and multi-factor authentication systems in place within the constraints of a firm security posture.

With so many employees using services such as Dropbox as a handy medium-in-middle transport mechanism for data to be worked on away from the office on personal devices, despite your best intentions to stop this, it is.

You need to start complementing your big stick approach (of identifying users with personal Dropbox accounts installed on their systems and forcing them to remove it) and employing the carrot of education to staff, advising them best how to shore up such services with 2FA and the no reuse of passwords.

Frame it how you like. Say it's free advice for their personal data usage if you want or that you are just being ultra-cautious in case security policy is overlooked on occasion. It matters not, but bite the bullet and make sure everyone in your employ understands the importance of the issue and how easy it can be to sidestep some of the risk.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020