Over the recent weeks, fears of a breach at Dropbox fueled a great deal of speculation when clients of the cloud-storage service discovered an increase in spam coming to e-mail addresses they registered there. To their credit, Dropbox quickly got the ball rolling on an investigation into what happened and how they could have leaked otherwise confidential client information and yesterday they acknowledged that what happened is one of their employees had their account breached.
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts,” the cloud-storage company writes on their official blog. “We’ve contacted these users and have helped them protect their accounts.”
But the real meat of the story is what happened when one of those passwords belonged to an employee:
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”
Dropbox has apologized for this massive failure of internal security and has issued new security measures to help deal with it in the future—the company is even working to beef up security for clients. However, none of this will help if any employee is hacked again in the future; after all, this breach didn’t affect clients because clients were lazy in their cybersecurity, it hit them because an employee was compromised.
In the past, Dropbox has been dinged because of a policy that probably permitted employees access to users’ files on their service and attracted the attention of the FTC for their trouble. That some employees are capable of accessing that data makes them valuable targets for hackers interested in using Trojans to usurp their authority to do just that. In fact, we’ve seen numerous cases where hackers circumvented client trust and security measures by gaining authoritative access via employees in order to go through the back door and exfiltrate sensitive information that way.
So far so good; but we’re going to need a little more to establish trust
Dropbox has done a good job so far being quick to push the investigation forward and excellent about their transparency about what happened. It’s in their best interest to make sure that their clients know that firstly none of their sensitive information or data was compromised—just a list of e-mails and that’s fairly minor in this day and age—and that they discovered what happened and will be able to regulate against it in the future.
What we’ve seen here is a very basic POPI (Protect Our Proprietary Information) violation by an employee.
There are lots of ways to help resolve this and the primary is better training, stricter rules on passwords internal to the company, and better access controls. The access controls already in place by Dropbox prevented the hackers from getting anything but that list of e-mails, according to claims, but the breach itself was extremely preventable.
Moving forward Dropbox needs to show that they’re prepared to engender a more comprehensive protection of their client’s data by establishing tighter controls around even the e-mail addresses used to make accounts.
Furthermore, they might as well add that to their feature list, even if it doesn’t directly affect client’s accessibility to their files.