Recently, that safety has been called into question.
On Wednesday, Dropbox warned its users to change their passwords after it came to light that hackers had invaded the site and stolen the contact details of over 68 million users.
The initial attack actually took place in 2012, after hackers wormed their way into LinkedIn and stole a password that a Dropbox employee happened to be reusing in order to access the company’s corporate network. From there, the hackers were easily able to gain access to Dropbox’s user database and passwords.
In the company’s defense, Dropbox was undeniably demonstrating good user data security practice at the time by encrypting all of those passwords. It has also already begun the process of upgrading its encryption to a stronger hashing function called bcrypt. Experts say that means it was very unlikely the hackers would have ever been able decrypt an estimated 32 million of the passwords they had stolen.
Yet after learning of the breach, Dropbox nonetheless immediately contacted affected users and provided guidance on how to secure their accounts. The company also went on to add a series of new security measures such as two-factor authentication in order to protect against similar attacks.
The dust began to settle, and it looked like that was the end of that.
But two weeks ago, the Dropbox was forced to launch a brand new investigation in relation to the 2012 attack after reports surfaced that a list of the stolen passwords had been dumped online. Independent security experts verified the leak, and so Dropbox prompted affected users to change their login credentials for the cloud service. The site then published a blog earlier this week encouraging all users who hadn’t changed their passwords since mid-2012 to do so immediately.
“We’re doing this purely as a preventive measure,” Dropbox’s Head of Trust & Security, Patrick Heim, wrote. “Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed.”
Despite the muted impacts of Dropbox’s data breach and the company’s relatively forthcoming nature about said attack, it undeniably highlights the need for stringent security on both sides of the spectrum.
It goes without saying that Dropbox users should opt to use two-step authentication in every instance, and should never reuse the same password for multiple sites. After all, it was the inability of Dropbox employees to follow this basic advice that led to this security scare in the first place. And while remembering a gaggle of different passwords may seem daunting or unnecessary, it’s simply the nature of the beast. Recent attacks on password management services suggest that sites like OneLogin may not be the way forward, either.
Always Be Thoughtful of Cloud Data Safety
At the end of the day, cloud services like Dropbox are an incredible tool for millions of web users and business owners. Yet bearing in mind the rapidly evolving nature of cybercrime, these sites have got to be used with discretion and sensibility. Even the slightest lapse in judgement by you, a friend or employee could inadvertently place some of your most treasured digital assets at risk. After all, this whole breach stemmed from one Dropbox employee harmlessly recycling a password.
Should users turn their backs on cloud services like Dropbox? Of course not. But always be wary of how you’re using these services and what types of data you’re storing on them.
Dropbox Photo via Shutterstock