Four-Year-Old DropBox Hack Comes Back to Haunt

By Ali Raza

It’s hard to believe that Dropbox is almost 10 years old. It seems to have been around forever. It’s now a $10 billion cap corporation and as close to being a household name as something as mundane as data storage can get for an operation.

The numbers are staggering. Almost 500 million of us use it or have used it at some point. That means a major chunk of social responsibility for Drobox to maintain the robust and impenetrable security required and expected by all us users. But they dropped the ball back in 2012. Security was penetrated and some 68+ million email addresses and hashed (scrambled) passwords were stolen. Fortunately, the repercussions have not been as bad as they could have been because of the scrambled nature of the passwords.

Dropbox advised users to change their passwords at the time but PR and reputation damage limitation now seems to have been uppermost on the priorities list. Last week, four years later, we are told that 60 million users were affected.

The thing is that all of us regular consumers who use online services of any description still have the mentality of the free Internet. We really don’t like paying very much and we are astounded if the service is not rock solid and utterly professional for our $5/mth or whatever.

Many of us, even hardened IT veterans, have not taken on board the vital necessity of using strong, secure passwords. The “it happens to other people, not to me” mentality is deadly because when it does happen, the impact can be scarily bad. I wonder how many people use Dropbox as their automatic backup for their laptops and devices? And of those, how many keep confidential documents like passport scans and bank account details (yes, even passwords too) in a Notepad file. Everything is probably replicated at Dropbox and, over time, users can forget that fact and forget that the security of their data has a massive dependency on an outside agent that is under constant security attack.

The incident at Dropbox stemmed from one user whose email account was hacked. The intruder then managed to locate and retrieve four files that contained the data. The lesson here is that every touchpoint with the outside world is a potential vulnerability. Every corporation invests significantly in security expertise but the defenders have to win 100% of the time 24/7/365. The attackers need to get lucky only once. And passwords with their very human creators and maintainers are still one of the weakest links.

Enterprises do instigate password security processes, such as encouraging users to change passwords frequently. However, users typically access a number of different applications, each of which requires a password, so the temptation to take the convenient route of weak but memorable passwords and reusing them is a constant. It is the individual that needs to change, and changing one’s habits is not something that can be done without an internal driver. That driver does not exist for too many of us.

Dropbox has moved to restrict the downside from the incident. It encourages users to adopt their two-step authentication process, which is a must-do no-brainer for any users of the service who have been made aware of it. Dropbox and their user base were lucky on this occasion because the stolen passwords were salted (obfuscated with a secret text string) before hashing, which means that cracking them is unlikely. However, they are now out there and may be cracked one day. Therefore any reuse of a password that was used for a Dropbox account should be changed immediately.

It goes to show that, as users of Internet services, we simply must take nothing for granted. Any service is a potential victim of a security breach.

If we truly want to create a virtual Fort Knox for our critical and sensitive data, images, plans, or anything else that is in digital format – the best way (and according to many experts, the only way) is to encrypt the data and hold those encryption keys ourselves. Stay tuned for some announcements from us at Scram Software on how we’ll make it easy for you to do exactly that.