Dropbox was hacked. Chorus of IT admins to users: "See? See?!"

A week or so ago Dropbox hired some "outside experts" to help investigate why a bunch of European users were getting spam at e-mail addresses used only for Dropbox storage accounts.

A week or so ago Dropbox hired some "outside experts" to help investigate why a bunch of European users were getting spam at e-mail addresses used only for Dropbox storage accounts. It raised significant questions about the security of Dropbox, specifically, and also cloud services, in general.

So, what exactly happened with the popular service? Turns out Dropbox was hacked. The company said a stolen password was "used to access an employee Dropbox account containing a project document with user email addresses." Those stolen passwords were then used by hackers to spam e-mail addresses. Further, usernames and passwords obtained by the spamming effort were then used to "sign in to a small number of Dropbox accounts." That's the bad news.

As a result of the investigation, Dropbox recommended all users should change their account password and suggested they use different passwords for all the various web-based services they are registered for (hello, 1Password!). The good news is Dropbox said they will beef up security measures by offering an optional two-factor strong authentication, which could involve logging in with a password and then having a temporary code sent to their phone via SMS.  There is also going to be a new feature letting users view all active logins to their accounts, similar to what Google offers with Gmail, to help identify suspicious activity. 

These are all good steps. But, with this hack and last year's snafu, which left all user accounts unsecured and accessible with any password for four hours, companies that ban Dropbox all together are looking smarter and smarter. 

Yesterday, a few reporters (cough, Brian Madden, cough, the SearchConsumerization team, cough) at TechTarget realized that Dropbox had been blacklisted from the network. We couldn't access the website and the desktop clients weren't allowed to sync. There were a few complaints, sure, but mostly we just went about our lives and switched to SkyDrive or any handful of the cloud storage and file syncing services.

It's probably no coincidence the blacklist occurred on the same day Dropbox announced it was hacked. Still, like most companies dealing with the Dropbox problem, TechTarget didn't announce a new policy about acceptable cloud storage use, nor did they offer an acceptable alternative (Box just raised $125 million in investment money to further become that enterprise alternative) for employees to use. They just shut off access to it. That's a big mistake. It's fine to blacklist Dropbox -- now more than ever -- but organizations still need to offer an acceptable alternative that meets IT's security requirements and employees easy-of-use requirements because the tool of cloud storage and file syncing across endpoint devices isn't going away. 

Regardless, it's always an eye-opener when you have to deal with CoIT at your workplace after covering it!

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

Was the irony unintentional when you suggested 1Password, which uses Dropbox to sync passwords across devices?


Cancel

@Sean -- Totally unintentional! It was just the first password management tool that popped into my head.   But yeah... irony of ironies, I suppose.


Cancel

The fundamental problem that no cloud storage vendor has solved yet, is how to prevent data from being sync'd or downloaded to a non-company approved device (ask Box, I did).


Without that, I don't understand why any of this is even a debate.  None of the cloud storage providers are even remotely secure.  Period.  And by design, it's almost not possible to make them secure.  Why anyone would even think about allowing any of these services on their network is way beyond me.


It is possible to stop 99% of it, contrary to what all the doomsayers on this site constantly claim.  The 1% will find a way through, but that'll just make your defenses better for next time.


Cancel

I'd take a look at LastPass


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close