A couple of weeks ago, Dropbox users started noticing an upturn in spam to email addresses they’d only ever used for Dropbox.
Understandably, they wanted to know, “Why?”
There are numerous possible explanations for this sort of thing.
Here are a few:
- An email address database at Dropbox got compromised.
- Email addresses leaked out from a non-database source at Dropbox.
- Malware on the user’s computer scooped up email addresses from the local hard disk.
- Malware logged passwords on the user’s computer.
- User inadvertently used the same email address somewhere else.
- User inadvertently used the same password somewhere else.
- Dropbox’s password database got stolen and cracked.
- Spammers got lucky guessing at email addresses.
With so many reasons to hand, tracking exactly why an email address suddenly saw a surge in spam can be tricky.
In the Dropbox case, however, the jury has now returned a verdict.
As in many multiple choice examinations, the right answer is “more than one of the above” – in fact, reasons (2) and (6).
Some users had used the same password on multiple sites, and a compromise elsewhere led to their Dropbox accounts being unlawfully accessed.
Unfortunately, the list of users who had re-used passwords included a Dropbox staffer. That user’s account was raided and gave up not one email address, but many, thanks to what Dropbox describes as “a project document with user email addresses.”
In other words, the breach (yes, I know email addresses alone don’t make much of a breach, but it’s the thought that counts) ended up being a mixture of poor practice both inside and outside the organisation.
So, if you’ve ever doubted the value of the advice to choose a different password for each online account, this is a real-life case study to make you think again.
While we’re talking about passwords, here’s a Sophos Techknow podcast entitled Busting Password Myths.
Chester and I dig into the thorny issue of password rules and regulations, including the whole question of password re-use.
Duration 14’35”, size 10.5MBytes
(Oh, and if you’re interested in automatically encrypting the stuff you entrust to Dropbox, so that outsiders who raid your account can’t make sense of what you’ve stashed in the cloud anyway, you might also want to take a peek at our Encryption for Cloud Storage solution.)
5 comments on “Dropbox data breach proves the “One Site, One Password” rule”
It's amazing how many computer users remain careless, especially given the current, well-publicized, online (in)security environment. Recently a neighbor asked me to help repair the damage resulting from her Yahoo, ICQ and Gmail accounts having been compromised. Having begun writing COBOL scripts in the 1970's, she is not at all computer-illiterate but, still, actually used the password, "password", for one of those accounts which was usually accessed from a computer shared with an adult daughter.
With the availability of many third-party apps that generate strong, random passwords and then encrypt and store them locally and/or on portable devices, there is no excuse for passwords being a weak link in our online safety.
That poor Dropbox employee, who contributed to this particular breach, should be made to buy coffee for ALL the affected users. 🙂
It's getting worrying how many things like this has happened, also the "Dropbox lets anyone log in as anyone" wasn't too good either. Planning to move off dropbox ASAP, i'm beginning to loose trust in it.
Yeah, all two issues and this one wasn't even compromised software. Screw them!
Dropbox needs some 2factor auth.
The only thing people should put on any outside storage medium is something they'd share with their Mother. Else, keep it under one's own direct control.