News broke late last month that files were found online containing 68,680,741 Dropbox user accounts plus their salted and hashed passwords. This was linked to a data breach that took place in 2012.
Back in 2012 it was speculated that Dropbox had been hacked, although the company denied it at the time. Dropbox contacted an unknown number of users explaining that an employee Dropbox account had been accessed with a stolen password and this contained “a project document with email addresses”. Dropbox went on to apologize and state they had “put additional controls in place to help make sure it doesn’t happen again.”
Fast forward to late August 2016 – Dropbox emailed users who hadn’t changed their password since mid 2012 advising them that they would be prompted to change their password the next time they login, citing the action as a “preventative measure”. The real reason behind the request (the fact that email addresses and salted and hashed passwords had been stolen back in 2012) was only revealed to those who happened to click on a help center link from within the email, and scrolled down the page to find the text.
Why didn’t Dropbox force a password reset back in 2012 as a preventative measure?
Given the severity of this data breach and significant number of users potentially affected, has Dropbox responded accordingly? Some articles have praised their proactiveness in contacting users believed to have been affected in recent weeks, others including Stilgherrian’s Why Dropbox’s data breach response is still wrong highlight the issues. Do current actions make up for not fully disclosing what information was actually stolen 4 years ago, and not taking preventative measures then?
Where is the urgency to ensure all passwords are reset and user accounts secured?
Potentially affected users at the time of writing this article have only received one email request to reset their password, and in this communication there was no urgency to do it immediately. Hackers can potentially change passwords, locking users out of their own accounts, and for those users that are permanently logged in, a log out is required to force a password reset.
While Dropbox is an extremely successful company with in excess of 100 million users, an impressive feature set and provides a convenient way for consumers and businesses to share and store data in the cloud, the fact remains they failed to provide their users with an adequate duty of care in regards to data security.
User trust is incredibly important in times of crisis
Research supports the importance of trust. The Deloitte Index 2016 Trust without Borders report indicates 94% of consumers believe that trust is more important than usability. The study also found that of the 14% of respondents who had received a data breach notification, 33% had greater trust because the notice confirmed that security monitoring and procedures were in place. Consumers want to be kept informed and only time will tell how Dropbox users respond to this recent situation and the management of it.
CloudFileSync is a secure file sync and share solution focused on securing data. With AES 256-bit encryption data is automatically protected at all points – on the server, during transmission and on the client. Data on the server is stored in encrypted vaults and is only accessible by authorised users authenticated through the CloudFileSync software, and encryption keys are held only by the customer to provide the highest level of security and data ownership. CloudFileSync has two-factor authentication for non-trusted IP address providing an extra layer of security and reassurance.
To learn more about how CloudFileSync can benefit your business, or to organize a demo Contact us