Dropbox urged to reset all its users' passwords in wake of breach

News
By
published

Security experts claim file sharing site's post-breach guidance could leave users exposed to further attacks.

Password login page

Dropbox has come under fire from a slew of IT security experts for the advice it has given users in the wake of this week's password breach.

As reported by IT Pro yesterday, the online file sharing service confirmed this week that some users' passwords had been stolen and used to access their accounts.

The bottom line is, when you have a breach, always assume the worst case scenario.

The affected users were then bombarded with spam, which was sent to the email addresses they had used to set up their Dropbox account.

Dropbox claims the passwords were obtained by hackers that had compromised other sites, which suggests they preyed on people who use the same login details across multiple sites.

The firm has since advised affected users to change their passwords, but Rob Sobers, technical manager at security vendor Varonis, said the company should reset all users' details as a matter of course.

"[Dropbox] are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached yet," he asked.

Citing the recent LinkedIn data breach, which resulted in 6.5 million of the site's users having their passwords published on a Russian web forum, Sobers said sites should be wary of taking the data hackers publish at face value.

For instance, just because a hacker publishes millions of passwords, that does not mean that's all the data they have.

"The bottom line is, when you have a breach, always assume the worst case scenario," said Sobers.

"Dropbox may be risking another breach from the same attack by [not] forcing a [widescale] password reset. That's a really curious decision.

"Needless to say, if you're a Dropbox user, go reset your password," he concluded.

Meanwhile, Grant Taylor, vice president for Europe at security vendor Cryptzone, said the Dropbox breach is proof that companies should not be storing corporate data on its servers.

"We would go further and argue that people should not be using Dropbox for many business purposes," said Talyor.

"Free services, by their very nature, don't have the features to facilitate corporate control and management."

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.