Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Dropbox Admits Hack, Adds More Security Features

Flood of email spam blamed on attacker grabbing an internal document containing users' email addresses.

Dropbox Tuesday confirmed that its users have been experiencing a spam onslaught, and pointed the finger at any unlikely source: an internal employee.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

The Dropbox spam investigation began two weeks ago, after users began reporting spam attacks against email addresses that they used only for the service.

[ Security officials are using data analysis tools to combat cybercrime at the London Olympics. Read about it here: Olympics Tap Big Data To Enhance Security. ]

But many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said Agarwal. "We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

But do those fixes--and related explanations--go far enough? "For me, there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a 'project document' --why? Shouldn't they be using dummy data?" said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised. It is not specified which services they refer to, but again, why?" Ferguson also criticized Dropbox's use of email--without first publicizing the breach--to inform affected users that their password may have been compromised, and for including "reset your password" links in those emails, thus making them virtually indistinguishable from the spam and phishing attacks that currently flood people's in-boxes. "This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a website to enter any kind of credentials," he said.

What could Dropbox have done better? "Instead of [sending] a password reset link, they should direct users to browse to the corporate homepage and follow the information there."

As the Dropbox breach illustrates, password reuse continues to be a prevalent security challenge. It works like this: Attackers breach a website such as LinkedIn or eHarmony, steal usernames--or emails--plus passwords, then use those to try and log into other services. Should such log-ins be successful, attackers harvest personal data, contact lists, try an "urgent request from a friend" scam, or use the compromised account to launch large volumes of spam emails.

The easiest way to stop password-reuse attacks is to stop reusing passwords. But according to an online password survey of 250 people recently conducted by software vendor mSeven Software, 76% of users rely solely on their memory--versus writing passwords down, entering them in a computer file, or using a password manager. In addition, 48% of respondents said they maintain just four passwords--or fewer--for any website they use that requires a password, even though 75% of people said they use at least 10 sites that require passwords.

In other words, most people don't seem to bother varying their passwords across different websites. As a result, when attackers obtain one password, they can use it to unlock that person's account on numerous other websites. "The Dropbox incident underlines the necessity of having different passwords for every website," said Graham Cluley, senior technology consultant at Sophos, via email. "As people pile more confidential information onto the Web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."

Of course, even without password reuse, no cloud service is impenetrable. "If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," Cluley said. "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
edyang73
100%
0%
edyang73,
User Rank: Apprentice
5/24/2014 | 11:41:00 PM
Fine for personal pictures
Dropbox is fine for casual things such as personal pictures, but not senstive business or customer data. For that I use CertainSafe, the only file sharing service with MicroTokenization, which breaks a file up and encrypts the pieces. Almost unhackable.
AustinAnalyst
50%
50%
AustinAnalyst,
User Rank: Apprentice
8/2/2012 | 2:54:57 PM
re: Dropbox Admits Hack, Adds More Security Features
What methods/software are available to encrypt data at the PC level ? How would we recover the encryption for all the encrypted files stored on the cloud in the event of a PC crash & rebuild ??
cruiz
50%
50%
cruiz,
User Rank: Apprentice
8/2/2012 | 9:39:37 AM
re: Dropbox Admits Hack, Adds More Security Features
Well sorry but I've had enough with Drpbox.. I decided changing of online backup solution. Surfing the net I found something called "Bajoo" and read everything about what they do. I'm really interested cause they have, like, everything! encryption, secret pass phrase, etc... I'm considering it.
NMORRIS926
50%
50%
NMORRIS926,
User Rank: Apprentice
8/1/2012 | 7:00:53 PM
re: Dropbox Admits Hack, Adds More Security Features
After last yearGs embarrassing data breaches, Dropbox promised to implement additional safeguards Gǣto prevent this from happening again.Gǥ Whoops, it just happened again.

here are my thoughtsGǪ
http://jacksonshaw.blogspot.ca...

Read more at http://macdailynews.com/2012/0...
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.