Dropbox data breach proves the "One Site, One Password" rule

Filed Under: Data loss, Featured, Privacy, Spam

A couple of weeks ago, Dropbox users started noticing an upturn in spam to email addresses they'd only ever used for Dropbox.

Understandably, they wanted to know, "Why?"

There are numerous possible explanations for this sort of thing.

Here are a few:

  1. An email address database at Dropbox got compromised.
  2. Email addresses leaked out from a non-database source at Dropbox.
  3. Malware on the user's computer scooped up email addresses from the local hard disk.
  4. Malware logged passwords on the user's computer.
  5. User inadvertently used the same email address somewhere else.
  6. User inadvertently used the same password somewhere else.
  7. Dropbox's password database got stolen and cracked.
  8. Spammers got lucky guessing at email addresses.

With so many reasons to hand, tracking exactly why an email address suddenly saw a surge in spam can be tricky.

In the Dropbox case, however, the jury has now returned a verdict.

As in many multiple choice examinations, the right answer is "more than one of the above" - in fact, reasons (2) and (6).

Some users had used the same password on multiple sites, and a compromise elsewhere led to their Dropbox accounts being unlawfully accessed.

Unfortunately, the list of users who had re-used passwords included a Dropbox staffer. That user's account was raided and gave up not one email address, but many, thanks to what Dropbox describes as "a project document with user email addresses."

In other words, the breach (yes, I know email addresses alone don't make much of a breach, but it's the thought that counts) ended up being a mixture of poor practice both inside and outside the organisation.

So, if you've ever doubted the value of the advice to choose a different password for each online account, this is a real-life case study to make you think again.

While we're talking about passwords, here's a Sophos Techknow podcast entitled Busting Password Myths.

Chester and I dig into the thorny issue of password rules and regulations, including the whole question of password re-use.

Listen now:

Duration 14'35", size 10.5MBytes

(Oh, and if you're interested in automatically encrypting the stuff you entrust to Dropbox, so that outsiders who raid your account can't make sense of what you've stashed in the cloud anyway, you might also want to take a peek at our Encryption for Cloud Storage solution.)


, , ,

You might like

5 Responses to Dropbox data breach proves the "One Site, One Password" rule

  1. JMJ · 1163 days ago

    It's amazing how many computer users remain careless, especially given the current, well-publicized, online (in)security environment. Recently a neighbor asked me to help repair the damage resulting from her Yahoo, ICQ and Gmail accounts having been compromised. Having begun writing COBOL scripts in the 1970's, she is not at all computer-illiterate but, still, actually used the password, "password", for one of those accounts which was usually accessed from a computer shared with an adult daughter.

    With the availability of many third-party apps that generate strong, random passwords and then encrypt and store them locally and/or on portable devices, there is no excuse for passwords being a weak link in our online safety.

    That poor Dropbox employee, who contributed to this particular breach, should be made to buy coffee for ALL the affected users. :)

  2. James Rutherford · 1163 days ago

    It's getting worrying how many things like this has happened, also the "Dropbox lets anyone log in as anyone" wasn't too good either. Planning to move off dropbox ASAP, i'm beginning to loose trust in it.

    • guest · 1163 days ago

      Yeah, all two issues and this one wasn't even compromised software. Screw them!

  3. Patrick · 1163 days ago

    Dropbox needs some 2factor auth.

  4. Internaut · 1163 days ago

    The only thing people should put on any outside storage medium is something they'd share with their Mother. Else, keep it under one's own direct control.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog