Earlier this month, Dropbox was investigating an issue where users were receiving spam at email addresses they only used for Dropbox. Initially they had said that there was no sign that this was due to a breach, but now it looks like their story is changing.
Presently the explanation is that there were a number of Dropbox accounts that were hacked due to usernames and passwords being reused from another site that was breached. One of those accounts was from an employee that was storing a document that contained email addresses of Dropbox users.
People seem to think security issues won’t happen to them because they’re too unimportant to be targeted. But it’s unlikely that this employee was a high level manager – it was probably someone in the trenches who deals directly with customers. And yet the information stolen from this employee has led to a big PR headache for Dropbox that has required them to make some big and expensive changes to their security policy. Not that the changes weren’t called for in the first place – but it has forced their hand, and expedited action is never cheap.
None of us is too unimportant to bother with security. We all need to guard our information, especially if we’re putting it in the Cloud. It’s irrelevant whether you think the data is valuable; the odds are that someone else can find a way to make a buck off it. So here’s your security moral for the day:
- Do not reuse usernames and passwords for different websites. Seriously.
- Change your passwords on sites periodically.
- Use two-factor authentication if it’s offered.
- If you’re going to post data in the Cloud, encrypt it or password-protect it.
In short: Assume that the website’s security is not bulletproof. Act accordingly. If you keep that in mind, you can save yourself a lot of headaches when situations like this come to light.