rvlsoft - Fotolia

Lessons from the Dropbox breach

Dropbox is the latest major company to confirm a data breach, albeit four years old, but – as with all recent data breaches by cloud-based services – it highlights some key security lessons

Dropbox has finally confirmed that the email addresses and hashed passwords of 68,680,741 accounts were exposed in a hack that took place in 2012.

The company advised potentially affected users to reset their passwords after learning about the cache of user credentials believed to have been harvested in the hack four years ago.

There are a number of lessons to be learned from this massive data breach that individuals and businesses should act on to ensure they are not among the next set of breach victims.

Never re-use a password

Access to the a “project file” containing user email addresses and (hashed and salted) passwords was possible because a Dropbox employee had used the same password the hackers had harvested from another data  breach.

A report by mobile identity firm TeleSign reveals that 73% of online accounts are guarded by duplicate passwords and that 54% of consumers use five or fewer passwords for all their online accounts.

Security experts recommend the use of a password manager to generate, store and manage strong, unique passwords for all online accounts.

Change passwords regularly

The breach only affects those Dropbox users who have not changed their passwords since 2012. By changing passwords regularly, even if breaches occur, they will be useful to hackers only for a limited time.

Businesses that force employees to change passwords regularly will also have reduced their exposure if any employees had used the same password for their Dropbox account, as well as any internal or other business-related accounts.

According to a TeleSign report, 47% of online account holders rely on a password that has not been changed for five years.

Dropbox has also updated the way it stores its passwords multiple times since 2012 – including updating its password hashing mechanisms to bcrypt from SHA-1 – so any subsequently changed passwords have several layers of protection.

Enable two-factor authentication

Even if passwords are compromised and cracked, if two-factor authentication (2FA) is enabled attackers will be unable to use the passwords without an additional passcode.

Security experts advise enabling 2FA on Dropbox and all other online account where this option is available.

“Whether your Dropbox account has been put at risk or not, this is just a bloody good idea,” said independent security consultant Graham Cluley in a blog post.

According to Paul Ducklin, senior technologist at security firm Sophos, attackers can purchase a password cracker for less than $20,000 (£15,000).

Under ideal conditions, such a tool would enable attackers to test a trillion passwords every second, which means every eight-letter password could be tested in just 2 seconds and every nine-letter password in under a minute, Ducklin wrote in a blog post.

Never completely trust service providers

While Dropbox has confirmed that the credentials were stolen in 2012, at the time the company said only email addresses were compromised without mentioning it amounted to nearly 70 million.

Dropbox has defended its actions by saying that there has been no indication that any accounts were accessed as a result of the breach.

The cloud-storage firm also prompted all users potentially affected by the breach to reset their passwords around a week before the scale and nature of the breach was made public.

Josh Feinblum, vice-president of information security at Rapid7, has praised Dropbox for its proactive action.

“Their customer-first approach was refreshing and likely mitigated a great deal of risk to their users. Their response to a challenging event is a great model for other cloud companies to follow if faced with a similar situation.

“It’s our belief that the open dialogue about security that companies such as Dropbox are promoting about risk, mitigation and action will help to strengthen the security and technology communities,” he said.

Take responsibility for data protection

Breaches such as the one at Dropbox shows how important it is for individuals and companies to take responsibility for the protection of their data, said Roman Foeckl, CEO of data loss prevention firm CoSoSys.

“It is important not to rely solely on the security measures set in place by third parties, especially when we are talking about confidential company data,” he said.

Foeckl said enabling 2FA and using complex, unique passwords are important, but it is even more important to avoid storing personal or business sensitive data on any app or container that is under the control of a third party.

Use data-centric security

Many companies rely on Dropbox for low-cost cloud storage and the log-ins compromised in this breach could leave sensitive data exposed, but IT departments may not even be fully aware of the extent of Dropbox usage, due to employees downloading and using the application without their knowledge, commonly known as shadow IT.

“Businesses must accept that data is likely to go places they don’t know and outside of their control. This means a new approach to data security is required, where it is protected no matter where it ends up or who is attempting to access it,” said Trent Telford, CEO of data security firm Covata

“Policies that restrict data from being downloaded, for example, are a way of utilising the cloud for its security benefits and delivering tight audit controls over who has accessed the data and when,” he said.

However, the Dropbox breach should not deter businesses from using the cloud to store their data, said Telford, because it can be a much more secure way of storing data, if done in the right way. 

“Critically, security needs to be inbuilt in each individual piece of data from the start, because it’s impossible to wrap the corporate arms around every endpoint and point of potential data leakage,” he said.

Get visibility of enterprise data in the cloud

The data breach as Dropbox highlights that a breach at any file-sharing service is a threat to businesses.

“Employees are increasingly using personal accounts at work too, leaving sensitive business data vulnerable,” said Nigel Hawthorn, chief European spokesperson at  cloud access security broker Skyhigh Networks.

“As more corporate information is migrated to the cloud, it’s incredibly difficult for organisations to monitor and control the risk posed without the right measures in place,” he said.

Businesses must be aware of all cloud services in use across the enterprise, said Hawthorn. “This enables them to respond to breaches, analysing how it may impact them and mitigating the risk to data by forcing password changes or halting traffic completely,” he said. 

Hawthorn also advises businesses to set policies regarding the handling of corporate data and define a sanctioned cloud services list. 

“By including options for all the common reasons for use, such as collaboration, file conversion and project management, employees can be encouraged to use only approved applications over riskier alternatives,” he said. 

“By combining cloud monitoring technology with existing identity and access management controls, firms can more easily identify and act when accounts have been compromised.”

Monitor for anomalous activity

Businesses are advised to monitor their IT systems for any anomalous activity to ensure that if reused passwords are leaked, any attacker attempting to use the stolen credential can be spotted and stopped.

If Dropbox itself had been using such monitoring technology in 2012, it may have been able to prevent the breach of user data by attackers using stolen employee credentials.

David Mount, director of security solutions consulting in Europe at Micro Focus, said it is good practice for all businesses to monitor for anomalous activity and to enforce the principle of least privilege.

“This is key to controlling how users are accessing data, especially for any accounts with privileged access,” he said.

With this visibility into data access, Mount said organisations need to evaluate the risk of access attempts in real time and based on contextual factors, such as device, location and normal usage patterns.

“The use of multi-factor authentication to augment passwords ensures that users are always who they say they are, limiting the risk of an individual successfully masquerading as an employee,” he said. 

“Finally, those businesses able to monitor user activity to spot issues quickly must then act quickly to take remedial action with no delay. This will help to limit any damage.”

Read more about data breaches

  • Mossack Fonseca breach underlines need to focus cyber security on key data, say experts, after law firm’s founder insists the company was breached by an outside hacker
  • Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
  • The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
  • Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.

Read more on Privacy and data protection