<img src="https://secure.leadforensics.com/32105.png" style="display:none;">

Dropbox blames its users for security breach

dropbox hacked imageOn Monday, hackers claimed to have stolen 7 million Dropbox logins, anonymously posting 'teasers' of the supposedly-stolen credentials on Pastebin - the teasers accompanied by the promise of more credentials in return for a Bitcoin donation. Dropbox have since poured cold water on the boasts, with senior Dropbox engineer, Anton Mityagin, claiming that "Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe."

Mityagin went on to say "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."

A lesson in semantics?

It appears that, technically, Dropbox were not hacked in that its service was not exploited to gain access. However, it is likely that Dropbox user accounts could have been compromised due to credentials being stolen from elsewhere and then used to gain access on the service. The reason Dropbox credentials can be found in places other than Dropbox of course is because most internet users re-use the same login credentials across multiple sites and services.

It's unlikely that anyone reading this article won't have, at least at some point, re-used the same login credentials for different services. After all, the most important thing for most is convenience, not security.

This isn't the first time Dropbox has hit the headlines due to password re-use. In 2012, when 6.5 million LinkedIn usernames and passwords were stolen by Russian cybercriminals, one of those accounts happened to belong to a Dropbox employee. Unfortunately for Dropbox, the employee had used the same username and password for his Dropbox administrator account as he had to access his personal LinkedIn account. Once stolen, hackers used the LinkedIn credentials to access the Dropbox admin account and harvest thousands of customer records.

Lessons to be learned

It all sounds rather obvious, but the lesson for employers is to enforce the use of strong, unique passwords for business accounts - and crucially, do not allow employees to re-use personal passwords for business. If you are concerned about employees doing this, then one additional security precaution is to ensure that employees switch on 2-Factor authentication for services where this is available. This adds an additional layer of security for services, meaning a hacker not only has to know the username and password, but also have access to the second authentication factor in order to access the service.
Free Download: my1login's Comprehensive Guide to Protecting Your Company from  being Hacked

Back to Blog

Related Articles

Identity and Access Management: What Matters Most When it Comes to ROI?

This blog examines the profound impact that User Experience and Application Compatibility can have on the business case and return on investment (ROI) delivered...

What is the Business Cost of Manual User Deprovisioning?

With the average enterprise using 288 different cloud applications, the task of provisioning and deprovisioning user access has become increasingly complex. Manual...

The Enterprise Risks of Personal Password Managers

With the average enterprise organisation using 288 different cloud applications, individual users simply have too many credentials to remember, and resort to poor...