Dropbox – Please Reset Everyone’s Password

Yesterday, Dropbox confirmed that they were indeed hacked.  They issued a blog post explaining:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

Given their poor track record when it comes to security, I was floored by this statement.  They are assuming they know exactly which accounts were compromised.  What about the accounts whose passwords might have been stolen but haven’t been breached (yet)?

LinkedIn made the same mistake a few months ago—they only reset the passwords for the accounts they believed to be affected.  What did they base this on?  The list of hashes that were published BY THE HACKERS?  Is it beyond the realm of possibility that the attackers might not have published the whole list?  They’re HACKERS!

Zappos, on the other hand, took their medicine.  They said, “We know it’s a royal pain, but we don’t really know exactly which accounts are at risk, so we’re resetting them all.”  While it was a pain, this made at least one customer  (me) feel like Zappos was taking security seriously.

Another unsettling thing is that apparently a Dropbox employee was storing customer data in their own Dropbox account.  That blew my mind for the second time in the same morning.

Here’s what we can deduce from what the company has disclosed:

  • Dropbox stores at least some customer information in Dropbox  in folders that are accessible by at least one employee
  • At least one Dropbox employee uses their Dropbox password somewhere else
  • Dropbox is taking the same road that LinkedIn took by addressing only the problems they know about. What about what they don’t know they don’t know about?

This raises some disturbing questions:

  • What other customer information is stored in Dropbox folders? Credit card data? Passwords?
  • Which employees have access to customer data?
  • Of the employees that have access to customer data, how many of them re-use their passwords?

A least it’s not all bad.  Some good news is that Dropbox is introducing:

  • Two-factor authentication
  • Automated alerts on anomalous behavior detection
  • A visible audit log of account access

These features are critical– the ability to determine, at all times, who has access to data, who is accessing data, locating sensitive data, and using automation to monitor use and flag potential abuse. (This is what the Varonis Data Governance Suite is all about).

These security measures will prove crucial for Dropbox to recover from their recent woes and gain any kind of traction with businesses.  In fact, in our recent cloud collaboration survey, a vast majority of organizations said they would love to use something like Dropbox for collaboration if they felt it was as secure as their internal networks.

The bottom line is, when you have a breach, always assume the worst case scenario.  Dropbox may be risking another breach from the same attack rather than inconvenience their users by forcing a password reset.  That’s a really curious decision.

Needless to say, if you’re a Dropbox user, go reset your password. You might also want to heed Marco Arment’s advice and treat Dropbox as a public repository.

Get the latest security news in your inbox.

Next Article

Richard Stiennon on Packet Capture