Dropbox didn't drop the ball, users did

Davey Winder lets rip over the tendency to blame vendors, rather than users, for some data breaches

Password and username box

I'm starting to get more than a tad fed up with headlines proclaiming that a high profile service has been hacked, and the copy writers then rushing to the conclusion that users would be better off jumping ship.

The latest victim of this knee-jerk-style reporting was Dropbox after it was accused, and largely found guilty without any hint of a fair trial, of allowing hackers to make off with nearly 7 million user logins.

Here are just some of the headlines that emerged as a result that all suggested Dropbox had dropped the security ball: 'Nearly 7 Million Dropbox Passwords Have Been Hacked', 'Hackers hold 7 million Dropbox passwords ransom', 'Hundreds of Dropbox Accounts Hacked, Millions More in Danger.' Sorry to burst this hyperbole bubble, but Dropbox didn't drop the ball. Users did.

Read most of the news reports proclaiming the service was hacked and you will quickly find, often in the second paragraph, that Dropbox had denied any hacking took place while admitting some active account logins were amongst the published 'stolen passwords' databases.

Advertisement - Article continues below
Advertisement - Article continues below

Go to the official Dropbox blog and you will find that Anton Mityagin, a security engineer at the cloud storage giant, clearly states the usernames and passwords were "stolen from unrelated services, not Dropbox" and then used to try and access Dropbox accounts amongst others.

As IT Pro reported at the time, the vast majority of the passwords posted had been expired for some time and those which were active reset "a number of months ago."

When the money-motivated hacker (assumed as the publication of the 'stolen' database is accompanied by a Bitcoin donation request to reveal more) actually did disclose more details it turned out that none of them were actually associated with Dropbox accounts.

This tactic is an increasingly common one being employed by those who see the potential to earn some easy money or easy kudos within the more gullible corners of the dark web community.

The fact remains though that blaming Dropbox for the security faux-pa's of users who reuse their logins across multiple sites is, don't you think, a bit rich? I'm not saying Dropbox are security gods by any means, and there is plenty of controversy surrounding both current privacy issues and previous alleged compromises if you care to Go Google. What I am saying is in this particular case, like so many others, the responsibility buck stops with the user.

Dropbox's Mityagin hits the nail firmly on the head when he says Dropbox recommends enabling two-step account verification for an added layer of security.

Advertisement - Article continues below

I have been hammering away at users with their heads buried firmly in the insecurity sand with the same message for longer than I care to remember, but - for the record - I started my banging on well before the main players started to introduce the 2FA option.

And don't think that none of this concerns you as an enterprise reader, with rock solid password management and multi-factor authentication systems in place within the constraints of a firm security posture.

With so many employees using services such as Dropbox as a handy medium-in-middle transport mechanism for data to be worked on away from the office on personal devices, despite your best intentions to stop this, it is.

You need to start complementing your big stick approach (of identifying users with personal Dropbox accounts installed on their systems and forcing them to remove it) and employing the carrot of education to staff, advising them best how to shore up such services with 2FA and the no reuse of passwords.

Frame it how you like. Say it's free advice for their personal data usage if you want or that you are just being ultra-cautious in case security policy is overlooked on occasion. It matters not, but bite the bullet and make sure everyone in your employ understands the importance of the issue and how easy it can be to sidestep some of the risk.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020