Investigators analyzing the systems behind Dropbox have not yet determined the scope of the breach, according to the company, which acknowledged Wednesday that the investigation into how much access attackers had into the company's internal systems remains ongoing.
Since the investigation is still ongoing, I can’t go into further detail.
Responding to questions from SearchSecurity.com, a spokesperson for the San Francisco-based remote file storage service declined to comment any further than the company's July 31 blog post. Dropbox acknowledged on Tuesday that it believes attackers used passwords stolen from another website to gain access to a number of user accounts, including an employee storage account.
"Since the investigation is still ongoing, I can’t go into further detail other than what we said in our blog post," the spokesperson said. "We’re still monitoring the situation but have determined that a small number of users were affected. We have contacted all the users where we have detected suspicious activity."
The Dropbox security breach announcement stated that the company would "continue to monitor the situation," but didn't address whether a computer forensics team was still investigating the scope of the breach to internal systems. Dropbox said it was adding features to bolster the security for users of the service, including an optional two-factor authentication service, a login activity page and automated systems to detect anomalous activity.
A company employee was among those targeted by attackers, who used stolen passwords to gain access to their Dropbox accounts. The employee's storage folder held a project file that contained account holder email addresses that investigators believe were used in a variety of spam and phishing campaigns. Affected users complained on a Dropbox forum that they received spam messages pushing online gambling sites.
The company hired an outside firm to investigate its systems. It has not said how it would address security internally or whether it needs to address its security policies.
Dropbox urged account holders to use strong passwords and consider using password management tools to avoid using the same password for multiple services.
The focus of password breaches is often on encouraging account holders to use better password management practices, but experts say enterprises need to step up to better protect their user accounts. Organizations can begin by conducting a database inventory to determine what systems store usernames and passwords. Database management systems should be fully patched and the added step of database activity monitoring could help detect unauthorized access.
Password breach fallout
The attacks on Dropbox accounts came shortly after LinkedIn's massive password data breach. An attacker posted a file containing nearly 6.5 million passwords on a Russian hacking forum, requesting assistance from other hackers to crack the hashed passwords. LinkedIn was criticized for failing to salt its account holder passwords, a process that makes password cracking much more difficult.
The LinkedIn breach caused problems at a number of other online services. Google, Last.fm, Facebook and others reached out to affected users who may have used the same password for multiple accounts, a poor practice, say security experts.
news of the Dropbox security breach hacking forum. LinkedIn hashed but didn't breach cascaded to other services, including online dating service eHarmony, Google and Facebook. In some cases, the services reset accounts or warned users about the need for strong passwords and railed against using the same password for multiple accounts.