Were you one of the millions of long-time Dropbox users who received an email that warned you’d be prompted to update your password on your next login – that is, if you haven’t done so since 2012? I got it over the weekend and was annoyed by the lack of details in the note itself. So much so, that I wondered if the email was real. It read more like spam, encouraging you to click on a link for more information rather than explain what happened right up front.
Unfortunately, the email was real, and disturbing, as we now know that 68 million Dropbox passwords and user names were stolen in 2012. Yes, that’s right. Four years ago. That Dropbox was breached years ago isn’t exactly news, and I even wrote about the 2012 breach and warned that we should expect the dominos to begin falling because of the nature of the breach. I didn’t expect it to take four years. I’m not the only one, as the Wall Street Journal wrote:
Dropbox had previously disclosed that it had been compromised in 2012, but the company underestimated the impact of the incident. On Wednesday, the company said it was unaware of the full extent of the hack until the files surfaced.
Clearly, this is a big-time failure on Dropbox’s part, as Chris Roberts, chief security architect at Acalvio, told me in an email comment:
It’s interesting that user accounts taken in an incident in 2012 are only now "coming to light." That's an awfully long time to wait before publicly stating that "we have an issue.” It's frustrating that the organization potentially knew of the problem, but didn't confirm it, as there was no credible evidence that the data was in the wild? It would be good to work out or understand why Dropbox didn't put its hand up and admit the issue back in 2012. Instead, the company waited four years until someone actually dropped the hacked accounts after probably harvesting who knows how much intelligence.
No matter how negligent Dropbox has been in this incident, it highlights several important security issues where organizations and end users alike are too often lax. One is password laziness and our use of one password across many (most?) sites. Because of that, how many other sites have been compromised over those four years without us having a clue?
Secondly, the Dropbox breach is a vivid reminder of the security problems of shadow IT. How many of those Dropbox accounts were used for corporate document sharing without IT knowing about it? How often are we using applications without IT knowledge or permission and what risks does that use cause to data and the network?
Finally, as Steve Durbin, managing director with Information Security Forum, told me via email, we drop the ball on security responsibility:
You can outsource storage and access to a third party but you cannot outsource your responsibility for security of your data. When an event like this happens, it’s the user who loses.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba