Forget the headlines you may have seen. Dropbox wasn't hacked. Seven million Dropbox accounts were not compromised.
That’s the word from the cloud-based storage service provider, which, quite frankly, doesn't seem too worried that customers accounts have been compromised. “We have proactive measures to prevent those kinds of things,” said a company spokesperson. “And when we see suspicious activity, we automatically reset passwords.”
And in this case, the vast majority of the passwords that hackers claimed could be used to log into Dropbox accounts had expired. Any that weren’t are expired now.
Stolen from Third-Parties
For anyone who hasn’t yet heard about the alleged Dropbox breach, an anonymous Pastebin.com user claims to have compromised 7 million accounts. (Pastebin.com is a website where you can store text for a certain period of time.)
The culprit posted the first 400 names and passwords direct to Pastebin with a call for Bitcoin donations to leak more.
Dropbox was not the source from which the passwords were taken, our sources said. Rather, they were stolen from other services and used in attempts to log in to Dropbox accounts.
In a blog post posted on Dropbox, company security team member Anton Mityagin stated:
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”
That being said, Dropbox does recommend that you use two-step verification on the site and any others that accept it. The reuse of passwords and weak passwords leaves too many of us vulnerable, which is what might have happened in celebrity photo hack on iCloud.
Don't be Naive
Password reuse is a phenomenon that is all too common, says Paul Trulove, vice president of products at SailPoint, a company that provides Identity and Access Management solutions. And it threatens not only consumer users but their employers as well. A recent survey conducted by SailPoint found that half of business leaders in the UK, and 40 percent in the US, admitted to reusing the same password across personal and work applications.
“By doing so, these business users are creating potentially large ramifications on the company’s security because then a single password breach can all too easily cascade across a myriad of other applications,” he says.
While SailPoint’s remedy to the problem is its identity and access management (IAM) solution that governs access across every application that is being used by a business, Dropbox’s is two factor verification. To learn how to implement it, go here. Enabling it should save everyone a lot of headaches.