The story of the Dropbox breach keeps getting more intriguing.
Today, Dropbox has come out and admitted that, yes, there was a breach that led to last month’s spam attack on user accounts. What caused the problem? A stolen password that resulted in an employee’s account being improperly accessed. And what was in that employee’s account? A file with Dropbox user passwords.
Let the dominos fall.
But wait, Dropbox added, it wasn’t just this one employee account that was breached. According to PC World:
The company also found that usernames and passwords that had been stolen from other websites were used to access "a small number of Dropbox accounts.” Hackers commonly try username and password combinations from breaches on other web services in hopes people use the same combination, a common security problem.
Dropbox has said it will be adding two-factor authentication to boost security. The second factor is yet to be announced.
A ZDNet blog ripped into Dropbox for its overall lax authentication security efforts, citing that this was the second time in a year where a serious security mistake occurred and promises were made to fix the problem.
While I don’t disagree with that premise, I also don’t think Dropbox is all that different from any other company that has suffered a password or authentication-related breach. Usually we are just told to change our passwords and move along our merry way. For example, I didn’t get any word that LinkedIn was changing the way that I log into my account, despite its password breach. So, yes, it may have taken two incidents for Dropbox to make a real change, but at least it is making a change and is openly recognizing that the password system alone just doesn’t work.
And that is a lesson that we all should take. Why are hackers able to figure out other username/password combinations? Because users are lazy and hate coming up with different username/password combinations for every single account. We’re all guilty of it. Even security experts and security writers I’ve spoken with have sheepishly admitted they will use the same combination across some accounts, but that they have unique passwords for the most sensitive accounts.
I think we’ve reached a point where two-factor authentication has to become the norm rather than the exception. We may have reached the password saturation point for what people can remember.