The huge Dropbox password leak that wasn’t

Graham Cluley

The huge Dropbox password leak that wasn't

Update: Since this article was written it has emerged that millions of Dropbox credentials have been made exposed.

Read this article for more details: “Millions of Dropbox users are being advised to change their passwords”.

The original article is reproduced below for your reference.

The huge Dropbox password leak that wasn't

A lot of people use Dropbox.

A lot of people put a lot of valuable, sensitive and personal data inside Dropbox.

A lot of people make the mistake of not encrypting their valuable, sensitive and personal data before they put it inside Dropbox.

Which all adds up to a whole heap of trouble if Dropbox suffers a data breach.

Alleged Dropbox breach

Fortunately, as Brian Krebs reports, recent claims from identity theft protection firms that Dropbox has suffered a massive password breach appear to be erroneous.

Troy Hunt – who knows a thing or two about verifying and responsibly disclosing data breaches – also chimed in, decrying that some had jumped to the conclusion that a serious breach had occurred without an attempt to independently verify, or even consult Dropbox itself.

Instead, the data swirling around the net appears to be derived from the mega breaches at Tumblr, LinkedIn and MySpace that have recently been in the spotlight.

Of course, if you were making the mistake of using the same password in multiple places – for instance, the same password for Dropbox that you use at Tumblr – then yes, you would be wise to change them.

But that’s far from claiming that Dropbox has suffered a huge password leak. Because there is no evidence to suggest it has.

Nonetheless, with so many mega-breaches making the news, there’s certainly no harm in hardening your security and – for instance – enabling two-step verification on your Dropbox account to make it harder for hackers to break into.

I don’t mean to suggest that Dropbox is immune from making security blunders, of course.

For instance, in 2012 one of its employees had his password stolen, and spammers managed to steal a database containing the email addresses of users.

And the year before, the site dropped a huge clanger – accidentally turning off all password validation for about four hours. That meant that anyone was able to access anyone else’s Dropbox account using any password.

Sheesh. Now do you see why I recommend encrypting your files before uploading them to Dropbox? It’s not just about stopping Dropbox or a government agency snuffling through your files – it’s in case Dropbox makes another goof like that in the future.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “The huge Dropbox password leak that wasn’t”

  1. Are you going to revise this article now they have admitted the breach of 68 million user name and passwords ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES