On Monday, hackers claimed to have stolen 7 million Dropbox logins, anonymously posting ‘teasers’ of the supposedly-stolen credentials on Pastebin – the teasers accompanied by the promise of more credentials in return for a Bitcoin donation. Dropbox have since poured cold water on the boasts, with senior Dropbox engineer, Anton Mityagin, claiming that “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe.”
Mityagin went on to say “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”
A lesson in semantics?
It appears that, technically, Dropbox were not hacked in that its service was not exploited to gain access. However, it is likely that Dropbox user accounts could have been compromised due to credentials being stolen from elsewhere and then used to gain access on the service. The reason Dropbox credentials can be found in places other than Dropbox of course is because most internet users re-use the same login credentials across multiple sites and services.
It’s unlikely that anyone reading this article won’t have, at least at some point, re-used the same login credentials for different services. After all, the most important thing for most is convenience, not security.
This isn’t the first time Dropbox has hit the headlines due to password re-use. In 2012, when 6.5 million LinkedIn usernames and passwords were stolen by Russian cybercriminals, one of those accounts happened to belong to a Dropbox employee. Unfortunately for Dropbox, the employee had used the same username and password for his Dropbox administrator account as he had to access his personal LinkedIn account. Once stolen, hackers used the LinkedIn credentials to access the Dropbox admin account and harvest thousands of customer records.
Lessons to be learned
It all sounds rather obvious, but the lesson for employers is to enforce the use of strong, unique passwords for business accounts – and crucially, do not allow employees to re-use personal passwords for business. If you are concerned about employees doing this, then one additional security precaution is to ensure that employees switch on 2-Factor authentication for services where this is available. This adds an additional layer of security for services, meaning a hacker not only has to know the username and password, but also have access to the second authentication factor in order to access the service.