Credeon Blog

Return to blog

Hackers hold 7 million Dropbox passwords ransom

top-5-reasons-why-encrpyt-Dropbox-data“Hackers are threatening a major breach in Dropbox security, claiming to have stolen the login details of almost 7 million users”Claire Reilly

One of the more recent security breaches has Dropbox wondering how hackers got a hold of 7 million passwords!  The popular cloud storage service denies it has been compromised and that the passwords were taken from unknown third-party services.  So why did the perpetrators hijack all those passwords? Bitcoin (BTC) digital currency!  The hackers released a list of 400 emails and matching passwords on October 13, 2014 as a tease to get the public to donate BTC.  As more BTCs are donated, more passwords are released.  If you haven’t done so already, please change your Dropbox password.  Also, you might want to consider using a 3rd party cloud encryption service to protect your files if hackers bypass the server-side security offered by the cloud service provider by stealing passwords.

Dropbox and Box leak files in security-through-obscurity nightmare

multiple-encryption-keys“A major vulnerability was identified… in the online platform of Box and Dropbox that allows for the discovery of private file transfer links… data can be read by third parties or indexed by search engines”James Sanders

In May 2014, cloud-based file locker Intralinks discovered the major vulnerability where Box and Dropbox users unknowingly allowed private data to be read by third parties or indexed by search engines. Intralinks discovered that if users shared files by sharing Box and Dropbox links and those links were pasted into a browser search box instead of the URL bar, the link could then be indexed by search engines and made available to be read by third parties.  Imagine sharing a link with tax and social security information with your spouse.  Your spouse then unwittingly pastes that link in their browser search box.  Over time, that link would be indexed and could potentially show up in search results for someone searching for tax and social security information.  Using a 3rd party cloud encryption service to protect your files in the cloud would mitigate the risk this breach presents because even if someone finds the link through the method described above, they would only have access to an encrypted version of your file.

Google Drive Found Leaking Private Data — Another Warning About Shared Links

“A disturbing privacy problem has been discovered in Google Drive which could have resulted in sensitive personal or corporate information stored on the cloud service being accessed by unauthorized parties” - Graham Cluley

Google Drive was under fire in July 2014 for acknowledging a hyperlink security hole, similar to the previous hyperlink vulnerability Dropbox and Box encountered a few months prior described above.  If you shared a link that allowed “anyone who has the link” to view it, chances are unknown third-party websites were able to see your files.  The owner of the third-party websites receive a referrer URL, allowing them to potentially access your sensitive information stored on Google Drive.  One way to avoid this risk is to turn off the settings that allow “anyone who has the link” to view the file and require authentication to access the link or file. An even stronger approach is to use a 3rd party cloud encryption service to encrypt files prior to storing and sharing them with colleagues. This will ensure that only those with an encryption key that you explicitly share with them can unlock the content in the file.

Dropbox Password Breach Leads To Mass Security Alert

“Dropbox has become the latest web service to suffer a huge security breach. Thousands of users had their usernames and passwords stolen after hackers targeted the online hard drive and file sharing site”
Michael Rundle

Not a few people, not even a few hundred, but thousands of users had usernames and passwords stolen from Dropbox back in January 2012.  Dropbox’s investigation concluded that usernames and passwords were stolen from other websites whose credentials were used to access Dropbox accounts.  Additionally, a Dropbox employee’s account was accessed, containing a document with user email addresses.  Dropbox has since apologized for this major security breach and recommends users to regularly change their passwords.  As with the other breaches described here using a 3rd party cloud encryption service to encrypt your files BEFORE they are stored in the cloud is a very strong way to protect your sensitive data even in the event of an unforeseen data breach.

Jennifer Lawrence, Victoria Justice, Other Celebs Victims Of More Leaks, Apple Denies Breach

“A leak that started as the latest round of personal pictures hacked from celebrities’ phones turned into a vast invasion of the privacy of actress Jennifer Lawrence and a handful of others”
Rachel Zarrell

The Celebrity Photo Leak of 2014 reminded us that our files in the cloud may not be as secure as we initially thought. Shortly after the photos of several celebrities were posted on Reddit, Apple released a statement saying that iCloud was not breached. Rather, it was “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.”

What are we to do to prevent thieves from accessing our files if/when our passwords are stolen? Encryption is the answer! Simply encrypting files before sending them to the cloud would prevent leaked information from stolen files. Jennifer Lawrence, Kate Upton, Vanessa Hudgens, Lea Michele and other celebrities failed to encrypt their files using a 3rd party cloud encryption service before storing them in the cloud.  If passwords are stolen, thieves would still get access to the photos, but they would not have been able to decrypt them to view them.

In all of the cases described above the fundamental issue that lead to risk for the consumer was that the cloud service provider had access to unencrypted versions of their files. Cloud storage is very convenient and not going away. So why not use the cloud but do it safely. Encrypt your sensitive files using a 3rd party cloud encryption service before you store them with Google, Dropbox, Apple, etc. and rest well knowing your files are safe in the event of a security breach such as the ones discussed here.

Credeon Cloud Data Protection


Credeon Cloud Data Protection White Paper

Leave a comment