Dropbox data breach proves the “One Site, One Password” rule

A couple of weeks ago, Dropbox users started noticing an upturn in spam to email addresses they’d only ever used for Dropbox.

Understandably, they wanted to know, “Why?”

There are numerous possible explanations for this sort of thing.

Here are a few:

  1. An email address database at Dropbox got compromised.
  2. Email addresses leaked out from a non-database source at Dropbox.
  3. Malware on the user’s computer scooped up email addresses from the local hard disk.
  4. Malware logged passwords on the user’s computer.
  5. User inadvertently used the same email address somewhere else.
  6. User inadvertently used the same password somewhere else.
  7. Dropbox’s password database got stolen and cracked.
  8. Spammers got lucky guessing at email addresses.

With so many reasons to hand, tracking exactly why an email address suddenly saw a surge in spam can be tricky.

In the Dropbox case, however, the jury has now returned a verdict.

As in many multiple choice examinations, the right answer is “more than one of the above” – in fact, reasons (2) and (6).

Some users had used the same password on multiple sites, and a compromise elsewhere led to their Dropbox accounts being unlawfully accessed.

Unfortunately, the list of users who had re-used passwords included a Dropbox staffer. That user’s account was raided and gave up not one email address, but many, thanks to what Dropbox describes as “a project document with user email addresses.”

In other words, the breach (yes, I know email addresses alone don’t make much of a breach, but it’s the thought that counts) ended up being a mixture of poor practice both inside and outside the organisation.

So, if you’ve ever doubted the value of the advice to choose a different password for each online account, this is a real-life case study to make you think again.

While we’re talking about passwords, here’s a Sophos Techknow podcast entitled Busting Password Myths.

Chester and I dig into the thorny issue of password rules and regulations, including the whole question of password re-use.

Listen now:

Duration 14’35”, size 10.5MBytes

(Oh, and if you’re interested in automatically encrypting the stuff you entrust to Dropbox, so that outsiders who raid your account can’t make sense of what you’ve stashed in the cloud anyway, you might also want to take a peek at our Encryption for Cloud Storage solution.)