Dropbox Breach leaves unanswered questions

Salt by SoraZG used under creative commons


 
On the 18th July, Dropbox announced that they had begun investigating claims from users of their service of receiving Spam to email addresses that had been associated only with Dropbox accounts. Two weeks later, it seems the mystery has been solved.
 
Dropbox have stated that “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts“. One of these improperly accessed accounts happened to belong to a Dropbox employee account “containing a project document with user email addresses“. Which is what they believe led to the Spam.
 
For me there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a “project document”, why, shouldn’t they be using dummy data? This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised. It is not specified which services they refer to, but again, why?
 
Secondly, Dropbox chose to inform their customers of the breach with an email notification containing a link to reset their password. This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a web site to enter any kind of credentials. To compound matters, according to user reports there was no notification of the attack and required password resets on the home page, which would have helped give credibility to the password reset mail they sent out. In an ideal world, an affected organisation could send out an email notification, but instead of a password reset link, they should direct users to browse to the corporate home page and follow the information there.
 
Finally, Dropbox have stated that, as a result of the intrusion, some user passwords have been reset (“In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)”). The question that arises from that is, how do Dropbox know if a given user password is “commonly used”? Are they storing passwords in the clear? Are they storing passwords using an unsalted hash (like LinkedIn were)? Are they using a common salt for every user and a hashing algorithm designed for speed rather than security? If any of these are true, then their password database is vulnerable to a rainbow table attack, which is not very confidence inspiring news. Ideally user passwords should be stored with a unique salt for every user and using an algorithm that allows a “work factor” to be introduced into the hashing process, such as Blowfish. This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power. Increase the work factor, the hash gets slower. The effect is negligible on an individual calculation, but mass calculation of rainbow tables becomes impractical.
 
It’s great to hear that Dropbox are implementing two factor authentication for their users along with the other security enhancements they are announcing but this news and they way it was handled still leave many questions unanswered.
 
Aside from that, Dropbox users should now have their guard up for a Dropbox themed phishing campaign or two. This eventuality, will be abused by criminals. It’s another object lesson in why using secure unique password generators for your multiple online accounts is a good thing. If you can’t trust your service providers, then you must take responsibility for your own security.
 

10 thoughts on “Dropbox Breach leaves unanswered questions

  1. Pingback: Competitive Product Security Briefing « LeeLogic – Information On The Go

  2. John Medos

    This is a real fail from Dropbox. :( But honestly, I’m afraid this might happen in many others services as well, but that’s not the reason to stop using them. We just should be careful about what we share with them…

    Reply
  3. Pingback: Dropbox入侵外洩事件所遺留的疑點 | 雲端防毒是趨勢

  4. Pingback: Actus Sécurité Grand public 2012 S31 | La Mare du Gof

  5. Pingback: Enlaces de la SECmana – 135 | Desgobierno de Chile

  6. Pingback: Dropbox Admits Hack, Adds More Security Features - InformationWeek |

  7. Simon Fletcher

    It all sounds like too little, too late, too difficult – do customers really want to muck around with one-time codes to mobile phones? What happens if you haven’t got your mobile phone with you? There are better ways of doing two-factor authentication, using nothing more complex than a four-digit PIN…

    Reply
  8. Pingback: Dropbox blames staffer’s password reuse for spam flood breach | Technophile

  9. Pingback: Dropbox Hit by Major Security Breach, Adds New Security Features to Compensate | MacTrast

  10. Pingback: Dropbox Admits Hack, Adds More Security Features - InformationWeek

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>