Way back in the dark ages (well, four years ago, anyway), something happened within file sharing vendor Dropbox that, all these years later, has come back to haunt the powerhouse and its customers. While the actions or inactions from all those years ago cannot be undone, it is worth looking at the situation as a cautionary tale for all of us, especially since so many more people rely on internet services today than only a few years ago.
Back in 2012, Dropbox informed the world that an employee's password was "acquired" and that the password in question was used to access a document that contained the email addresses of Dropbox users. Dropbox informed users, by way of a blog post back in 2012, that:
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn’t happen again."
So far, so (not fantastically) good. Clearly this is an issue in terms of privacy but, if all that was accessed was a bunch of email addresses, no harm done, right?
Well, not so fast. Dropbox disclosed last week that credentials for over 60 million accounts have been floating around the so-called "dark web" since the initial breach in 2012. This is not only a higher number than initially thought, but also far more serious a leak, since this is about actual credentials (i.e., usernames AND passwords) and not just email addresses.
Dropbox would appear to have been relying on technicalities within its 2012 disclosure. Dropbox passwords are hashed and salted, and therefore anyone getting their hands on a file including passwords wouldn't be able to use them.
But what if someone got their hands on these hashed and salted passwords and managed to crack them? They would then have access to usernames and passwords. And, since we know that many people use single passwords for multiple services, and many more did so back in 2012, there exists a treasure trove of user data that could potentially lead to far greater losses than simply a few shared files.
This 60 million or so user credentials is an estimated 60% of the total number of users that the Dropbox service had back in 2012 -- a sobering statistic that goes to show just how impactful poor security procedures can be on these sort of web scale vendors.
To be fair, the data breach was a complicated one and cannot all be attributed to Dropbox. It seems that a Dropbox employee's personal password had been used on both their LinkedIn and their corporate Dropbox account. The LinkedIn password was obtained via another breach and this was reused to infiltrate the Dropbox network and eventually steal the files containing the credentials.
Very simply, this breach points out, once again, that two-factor authentication and not using duplicate passwords is a critical requirement for data safety. Interestingly, Dropbox has advised that it has licensed 1Password, a password management service that makes it easier for users to maintain highly secure and individual passwords for all of the different services they need. Systems like 1Password and its competitor LastPass are an important first step in data security.
But this breach also suggests that, perhaps, it is time for these web scale vendors to enforce the utilization of two-factor authentication, or at least adopt contextual authentication to weed out unauthorized or questionable login attempts.
We shouldn't berate Dropbox too heavily for this breach -- Dropbox was only one part of the chain of data loss, and the actions of third-party vendors and individual employees went a long way to causing this situation. But it is, above all, a cautionary tale for just how important this stuff continues to be.
This article is published as part of the IDG Contributor Network. Want to Join?