Dropbox didn't drop the ball, users did
Davey Winder lets rip over the tendency to blame vendors, rather than users, for some data breaches
I'm starting to get more than a tad fed up with headlines proclaiming that a high profile service has been hacked, and the copy writers then rushing to the conclusion that users would be better off jumping ship.
The latest victim of this knee-jerk-style reporting was Dropbox after it was accused, and largely found guilty without any hint of a fair trial, of allowing hackers to make off with nearly 7 million user logins.
Here are just some of the headlines that emerged as a result that all suggested Dropbox had dropped the security ball: 'Nearly 7 Million Dropbox Passwords Have Been Hacked', 'Hackers hold 7 million Dropbox passwords ransom', 'Hundreds of Dropbox Accounts Hacked, Millions More in Danger.' Sorry to burst this hyperbole bubble, but Dropbox didn't drop the ball. Users did.
Read most of the news reports proclaiming the service was hacked and you will quickly find, often in the second paragraph, that Dropbox had denied any hacking took place while admitting some active account logins were amongst the published 'stolen passwords' databases.
Go to the official Dropbox blog and you will find that Anton Mityagin, a security engineer at the cloud storage giant, clearly states the usernames and passwords were "stolen from unrelated services, not Dropbox" and then used to try and access Dropbox accounts amongst others.
As IT Pro reported at the time, the vast majority of the passwords posted had been expired for some time and those which were active reset "a number of months ago."
When the money-motivated hacker (assumed as the publication of the 'stolen' database is accompanied by a Bitcoin donation request to reveal more) actually did disclose more details it turned out that none of them were actually associated with Dropbox accounts.
This tactic is an increasingly common one being employed by those who see the potential to earn some easy money or easy kudos within the more gullible corners of the dark web community.
The fact remains though that blaming Dropbox for the security faux-pa's of users who reuse their logins across multiple sites is, don't you think, a bit rich? I'm not saying Dropbox are security gods by any means, and there is plenty of controversy surrounding both current privacy issues and previous alleged compromises if you care to Go Google. What I am saying is in this particular case, like so many others, the responsibility buck stops with the user.
Dropbox's Mityagin hits the nail firmly on the head when he says Dropbox recommends enabling two-step account verification for an added layer of security.
I have been hammering away at users with their heads buried firmly in the insecurity sand with the same message for longer than I care to remember, but - for the record - I started my banging on well before the main players started to introduce the 2FA option.
And don't think that none of this concerns you as an enterprise reader, with rock solid password management and multi-factor authentication systems in place within the constraints of a firm security posture.
With so many employees using services such as Dropbox as a handy medium-in-middle transport mechanism for data to be worked on away from the office on personal devices, despite your best intentions to stop this, it is.
You need to start complementing your big stick approach (of identifying users with personal Dropbox accounts installed on their systems and forcing them to remove it) and employing the carrot of education to staff, advising them best how to shore up such services with 2FA and the no reuse of passwords.
Frame it how you like. Say it's free advice for their personal data usage if you want or that you are just being ultra-cautious in case security policy is overlooked on occasion. It matters not, but bite the bullet and make sure everyone in your employ understands the importance of the issue and how easy it can be to sidestep some of the risk.