Vulnerability

Dropbox data breach proves the “One Site, One Password” rule

Dropbox data breach proves the “One Site, One Password” rule

A couple of weeks ago, Dropbox users started noticing an upturn in spam to email addresses they’d only ever used for Dropbox.

Understandably, they wanted to know, “Why?”

There are numerous possible explanations for this sort of thing.

Here are a few:

  1. An email address database at Dropbox got compromised.
  2. Email addresses leaked out from a non-database source at Dropbox.
  3. Malware on the user’s computer scooped up email addresses from the local hard disk.
  4. Malware logged passwords on the user’s computer.
  5. User inadvertently used the same email address somewhere else.
  6. User inadvertently used the same password somewhere else.
  7. Dropbox’s password database got stolen and cracked.
  8. Spammers got lucky guessing at email addresses.

With so many reasons to hand, tracking exactly why an email address suddenly saw a surge in spam can be tricky.

In the Dropbox case, however, the jury has now returned a verdict.

As in many multiple choice examinations, the right answer is “more than one of the above” – in fact, reasons (2) and (6).

Some users had used the same password on multiple sites, and a compromise elsewhere led to their Dropbox accounts being unlawfully accessed.

Unfortunately, the list of users who had re-used passwords included a Dropbox staffer. That user’s account was raided and gave up not one email address, but many, thanks to what Dropbox describes as “a project document with user email addresses.”

In other words, the breach (yes, I know email addresses alone don’t make much of a breach, but it’s the thought that counts) ended up being a mixture of poor practice both inside and outside the organisation. o, if you’ve ever doubted the value of the advice to choose a different password for each online account, this is a real-life case study to make you think again.

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s