Hackers Use Stolen Passwords to Jimmy Into Dropbox
Aug 1, 2012 11:43 AM PT
Dropbox says reused passwords are to blame for a wave of spam that's hitting subscribers to the service.
The company found that usernames and passwords recently stolen from other websites were used to sign in to some Dropbox accounts. One of these accounts belonged to a Dropbox employee, and it contained a project document with some users' email addresses.
This improper access led to the spamming of many users, Dropbox said.
The company has taken various steps to improve security, including the coming introduction of two-factor authentication.
"The downside of not having more rigorous access controls in place around sensitive data is that they can be compromised," Todd Thiemann, senior director of product marketing at Vormetric, told TechNewsWorld. "Dropbox appears to have learned that the hard way."
Bless My Soul, What's Wrong With Me?
Some Dropbox customers began complaining about being spammed back in mid-July.
The company called in external investigators to look into the matter, and on Tuesday it said the situation was most likely attributable to usernames and passwords employed by its subscribers across multiple sites.
It has contacted customers whose accounts had been hijacked and helped them protect their accounts.
"Given [Dropbox's] poor track record when it comes to security, I was floored" by the company's statement about contacting users whose accounts had been hijacked, said Rob Sobers, technical marketing manager at Varonis.
"They are assuming they know exactly which accounts were compromised," Sobers told TechNewsWorld. "What about the accounts whose passwords might have been stolen but haven't been breached yet?"
All Shook Up
"What other customer information is stored in Dropbox folders -- credit card data? Passwords?" Varonis's Sobers asked. "Which employees have access to customer data? Of the employees that have access to customer data, how many of them reuse their passwords?"
As for the project document stolen from a Dropbox employee whose account was hijacked, "A Dropbox employee should have clearly defined policies surrounding password strength and reuse for anything they do with customer data, regardless of where it's stored," Randy Abrams a research director at NSS Labs, told TechNewsWorld.
Encrypting sensitive data in cloud services such as Dropbox is critical because, "as a rule of thumb, anything stored in the cloud that's not meant to be a Playboy Expose should be encrypted," Abrams continued.
Upping the Security Ante
Measures Dropbox is taking to improve security include two-factor authentication, new automated mechanisms to help identify suspicious activity, and a new page that lets users examine all active logins to their account.
The company may require users to change their passwords in some cases, for example where the passwords are commonly used or haven't been changed in a long time.
It is also recommending that users set a unique password for each website they use.
"Going forward, integrating password education with regularly mandated password changes would be a good thing," NSS Labs' Abrams said.
However, "the problem is that a policy of password-only security is outdated," Leonid Shtilman, CEO of Viewfinity, told TechNewsWorld. He advocates using biometric facial recognition technology.
Comments on Security Measures
Password reuse across multiple sites "is a universal problem ... and it's better for services such as Dropbox to offer multi-factor authentication, given the gravity of data that people store on these systems," Frank Artes, a research director at NSS Labs, told TechNewsWorld.
In the interim, it would be a best practice to force a full change of passwords and set a threshold on password strength, Artes suggested.
Computer security "is an evolving process, driven by the harsh reality of computer crime," David Perry, global director of education at Comodo, told TechNewsWorld. "I have no doubt that this kind of 'oops' moment will be very common over the next decade."
Dropbox did not respond to our request to comment.