August 1, 2012
After initially claiming that a breach was not to blame for the rash of spam sent to its users, cloud-based file transfer and storage service Dropbox confirmed that lapses in security had led to user's email address and account details being compromised, according to a blog post by the company. The internal investigation revealed multiple breaches caused the deluge of unwanted email, but none involved a successful attack on the service's bread and butter: cloud security.
The initial breach was due to usernames and passwords being stolen from a variety of other websites, though the company did not specify which. A second breach involved a password stolen from an employee. Once that employee's account was accessed, the hacker then used a project document to gain more account information.
Data security in cloud computing services like Dropbox has received a negative reputation in the recent months, as it began to catch on with employees looking to expand their mobility without organizational permission. While the breach likely means much scrutiny and negativity directed at Dropbox for the inability to protect its own data, it shouldn't spell doom for the cloud.
In an effort to stem what will likely be a growing tide of concern, Dropbox included the announcement of new data protection measures right along side the confirmation of the breach. Secure cloud computing is what the company banks on, so ensuring that it was protected - along with its own reputation - was paramount.
Among the controls added were two-factor authentication for sign-in as a way to control endpoint access to data uploaded to the service. Other ways for users to monitor access to their accounts and automatic warnings about suspicious usage were also included.
In a column discussing the announcement for CIO Magazine, Bill Snyder mentioned that while Dropbox's plan does admit that its own security measures were slightly sub par, the company itself does not bear the majority of the blame. According to Snyder, if the breaches did indeed happen as claimed, it puts some of the onus on user and password security.
While part of that may be addressed by the company's new access controls, Snyder asserts that much of it comes down to poor following of good web security practices. If passwords can be stolen on another website and used on Dropbox, it indicates that users are not doing all they can to protect themselves from hackers.
-McAfee Cloud Security