On the 18th July, Dropbox announced that they had begun investigating claims from users of their service of receiving Spam to email addresses that had been associated only with Dropbox accounts. Two weeks later, it seems the mystery has been solved.
Dropbox have stated that “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts“. One of these improperly accessed accounts happened to belong to a Dropbox employee account “containing a project document with user email addresses“. Which is what they believe led to the Spam.
For me there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a “project document”, why, shouldn’t they be using dummy data? This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised. It is not specified which services they refer to, but again, why?
Secondly, Dropbox chose to inform their customers of the breach with an email notification containing a link to reset their password. This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a web site to enter any kind of credentials. To compound matters, according to user reports there was no notification of the attack and required password resets on the home page, which would have helped give credibility to the password reset mail they sent out. In an ideal world, an affected organisation could send out an email notification, but instead of a password reset link, they should direct users to browse to the corporate home page and follow the information there.
Finally, Dropbox have stated that, as a result of the intrusion, some user passwords have been reset (“In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)”). The question that arises from that is, how do Dropbox know if a given user password is “commonly used”? Are they storing passwords in the clear? Are they storing passwords using an unsalted hash (like LinkedIn were)? Are they using a common salt for every user and a hashing algorithm designed for speed rather than security? If any of these are true, then their password database is vulnerable to a rainbow table attack, which is not very confidence inspiring news. Ideally user passwords should be stored with a unique salt for every user and using an algorithm that allows a “work factor” to be introduced into the hashing process, such as Blowfish. This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power. Increase the work factor, the hash gets slower. The effect is negligible on an individual calculation, but mass calculation of rainbow tables becomes impractical.
It’s great to hear that Dropbox are implementing two factor authentication for their users along with the other security enhancements they are announcing but this news and they way it was handled still leave many questions unanswered.
Aside from that, Dropbox users should now have their guard up for a Dropbox themed phishing campaign or two. This eventuality, will be abused by criminals. It’s another object lesson in why using secure unique password generators for your multiple online accounts is a good thing. If you can’t trust your service providers, then you must take responsibility for your own security.