Dropbox is implementing two-factor authentication and creating a webpage so users can track logins after attackers used stolen passwords to access user accounts, including one used by the Web-based storage service's employees.
I don't think authentication and how many factors you have is a key deterrent to most types of attacks I worry about against data in the cloud.
research director, Spire Security
San Francisco-based Dropbox acknowledged on Tuesday its storage service was compromised by attackers using recently stolen passwords from other websites. The company didn't say how many accounts were compromised. The compromised Dropbox employee account contained a project document with user email addresses, a likely cause of a recently frustrating spam campaign targeting Dropbox users.
"We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again," the company said in a blog entry about the incident.
Dropbox could not be reached for comment Wednesday morning. There is no indication of the exact source of the password compromise, but news of the Dropbox security breach followed a massive password breach in June at Palo Alto Calif.-based social network LinkedIn. A file containing 6.4 million hashed passwords surfaced on a Russian hacking forum. LinkedIn hashed but didn't salt its account holder passwords. The breach cascaded to other services, including online dating service eHarmony, Google and Facebook. In some cases, the services reset accounts or warned users about the need for strong passwords and railed against using the same password for multiple accounts.
Dropbox said it would implement two-factor authentication in a few weeks, giving users the option to better secure their accounts by being required to provide two proofs of identity. The service is similar to one supported by Google, which sends a temporary code to the user's cell phone number to verify the authenticity of the login.
Giving users the option of using two-factor authentication is a positive step, but other technologies need to be in place to prevent a whole range of attacks, said Pete Lindstrom, research director at Spire Security.
"I don't think authentication and how many factors you have is a key deterrent to most types of attacks I worry about against data in the cloud," Lindstrom said. "There's the issue of collateral damage with these types of services; how much do you inherit the risk of your neighbor?"
A new webpage is now available to account holders providing all active account logins. In addition, the company said it was adding automated mechanisms to identify suspicious activity. If an anomaly triggers an alert, the company could require users to change their password or ask for additional information for verification.
"At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use," Dropbox said, urging account holders to consider using a password manager to maintain strong passwords across multiple websites.
Dropbox, remote storage security
Dropbox uses an encrypted SSL connection and claims its website is hardened against attacks, but experts point out that a valid password often evades even the most expensive, layered security defenses. Public folders are not browsable or searchable, Dropbox said. It uses Amazon's S3 Simple Storage Service.
Lindstrom said organizations should have data leakage protection (DLP) in place to detect the use of the services and control the company's most precious data assets. "It's clear that people are using these storage services but hopefully they're using it for the low risk kinds of data storage and data sharing," Lindstrom said.
Security experts have long warned enterprises to monitor, and in some cases, deny employees from using remote file storage services. Enforcing restrictive policies is getting more difficult due to the increased use of smartphones that provide instant access to Dropbox and other services.
Use of remote storage services could increase the risk of losing sensitive corporate data, experts say. Users could also grant permission for third-party applications to tap into the stored data.