Document sharing service Dropbox has confirmed that it recently suffered a hacking attack that compromised the names and passwords of some user accounts.
Spam Complaints Lead to Breach Discovery
Dropbox says that after receiving some complaints a couple of weeks ago from users about receiving spam messages in email accounts they only use for Dropbox, it launched an investigation which discovered that in addition to stealing Dropbox user names and passwords from other accounts to gain unauthorized access to their Dropbox accounts, hackers also stole login info for an employee account that contained user names and email addresses. The company believes this security breach caused the spam.
In response, Dropbox says it will start requiring two-factor identification (a way to optionally provide an additional login requirement besides password, such as a code texted to a user's mobile phone), a new page that will let users see all logins to their account, and possibly periodically ask users to change their passwords. Internally, Dropbox intends to add automated mechanisms for detecting suspicious activity.
Poor Password Practices Cause Problems
According to a posting on the corporate blog of security technology provider Sophos, the security breach at Dropbox is a perfect example of what happens when the "One Site, One Password" rule is broken. Sophos says a combination of email addresses leaking out from a non-database source at Dropbox and users employing the same password for multiple accounts led to the breach. Ulitmately, Sophos concludes this hacking event was the result of "mixture of poor practice both inside and outside the organization."
Other recent high-profile security breaches also sprang from poor password practices. For example, CNET recently examined the passwords associated with email accounts that were exposed during a major hack of the login credentials of 450,000 Yahoo subscribers. Analysis determined that a sequential list of numbers was used 2,295 times, with "123456" being the most popular (the lack of common sense associated with this type of password is at the root of a famous gag in the cult Mel Brooks sci-fi spoof "Spaceballs"). The password "111111" was used another 160 times. And 780 subscribers thought "password" would be sufficient to fool online crooks.
Pop culture references also made the list, with "ninja" appearing 333 times and "ncc1701," the designation of the Starship Enterprise from "Star Trek" used 27 times.
The IT Security Office at Duke University offers some helpful tips on how to select a strong password that will not be easy for a hacker to guess. These include using at least eight characters (some systems allow up to 63), mixing upper and lower-case characters, interspersing punctuation marks and symbols, and using modified versions of words from favorite childhood nursery rhymes or foods.
Duke IT Security also advises to never use the same password on more than one account (especially important for SMB employees who may use the same password on personal and corporate accounts) and to avoid dictionary words, phone numbers and anything associated with a name.
How this breach will effect user's faith in cloud storage remains to be seen, but this repeat performance does not inspire trust.