New from Dropbox: Don't Underestimate a Breach

Dropbox is popular file hosting service which has won several awards for its ease of use and clean design. However, the cloud storage company has come under fire for security concerns which have once again reared its ugly head.

Below, we will discuss the hack itself, what Dropbox could have done to prevent it and how cyber-attack insurance can defend people and businesses following a data breach.

Original Incident  

In July 2012, Dropbox disclosed that more than 68 million accounts had been compromised due to a hacking incident. While Dropbox originally claimed than only email addresses were lifted, the latest news reveals the hackers also stole hashed and salted passwords.

Dropbox says the problem was first brought to their attention in March 2013, when customers complained they were receiving spam through email addresses used exclusively for their Dropbox accounts. At the time, Vice President of Engineering Aditya Agarwal explained that only a small number of stolen usernames and passwords had been used to access user accounts.

Four years later, however, the problem's true scale was revealed. Scarier still is that the information from the 68 million hacked Dropbox accounts is now available for free download online − following a near $1200 price tag for the data dump on the dark web.

While Dropbox maintains that no malicious activity has been recently observed, CyberPolicy recommends that Dropbox customers who have used the service before mid-2012 should reset their passwords to secure their files and personal information. Ignoring this advice could lead to unfamiliar account activity, stolen files or other forms of information leak.

Comes Back Around  

There are several things Dropbox could have done differently. While Dropbox notified customers about the breach in 2013, they incautiously recommended that users change their sign−in credentials via an in−email link. This is not dissimilar to phishing emails used by cybercriminals to steal login information and should be avoided by legitimate companies who value customer protection.

Furthermore, when Dropbox investigated the spam problem, they discovered the attacks were traceable to an internal breach!

While working on an undisclosed corporate site, an employee's password was stolen and used to access their Dropbox account. Hackers were then able to access a document used by the employee containing user email addresses, which were later spammed by the intruder.

In retrospect, the employee probably should have used dummy data instead of real sign−in information to prevent this situation. Be that as it may, it is not surprising the breach occurred in this way as a large percentage of security rifts are rooted in employee negligence or weak password protocol.

In fact, 59 percent of people reuse passwords, despite being urged not to. This can have damaging effects to any account with similar credentials including banking, emails, business logins and social media accounts.

While it's impossible to entirely eliminate the risk of data breach, companies and consumers can greatly minimize the threat by following smarter password protocol and investing in cyber−attack insurance from a reputable provider.

Don't Go the Way of Dropbox

While malicious activity due to the Dropbox incident hasn't yet been observed, this ought to be a wakeup call for businesses in two ways. First, even the simplest security oversights can follow your company for years; and second, external breaches from the services you use could open your small business to cyber threats.

Protect your most valuable customer and company data with cyber−attack insurance from CyberPolicy. Get your free quote today!

© 2016-2020 CyberPolicy, Inc. All rights reserved. CyberPolicy®, "Plan. Prevent. Insure."™, and "CyberCheckup"™ are trademarks of CyberPolicy, Inc.
DBA: CyberPolicy Insurance Solutions CA License No. 0L13180
DBA: CoverHound Insurance Solutions CA License No. 0H52375