Dropbox denies password hack, but ‘encourages’ two-factor authentication

Dropbox has denied that it has been compromised as hackers leak hundreds of passwords online, promising to release circa 7 million more unless they’re paid a ransom.

The hack appears to be a complete scam, but password reuse made the ransom request plausible.


Is it time for us all to use two-factor authentication?    

Dropbox has denied it has been hacked, saying the passwords were stolen from third-party services.However, the hosting service is encouraging its customers to “to be proactive about their security online” by adopting two-factor authentication.

An entry on Pastebin, posted on October 13 at 4:10 pm CDT, showed a list of 400 emails and matching plaintext passwords, and claimed to be part of a large-scale Dropbox hack.

The hackers were said to be “requesting” Bitcoin “donations” to release the rest of the allegedly exfiltrated Dropbox user data – a ransom demand? (Lawyers: would you like to comment?).

On Monday  October 13, the Dropbox Blog reported that “Dropbox wasn’t hacked”, and on Tuesday they announced that “A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.” [Source: Dropbox wasn’t hacked]

Dropbox wasnt hacked

So, Dropbox wasn’t hacked. Should we all breathe easy now?

Answer: no. To quote Anton Mityagin for Dropbox: “Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.”

To quote The Guardian: “Password reuse is blamed for some of the leaked details being seemingly coincidentally valid for Dropbox. It is unknown how many of them worked, but Dropbox has since revoked any that it found to be valid.”

Other password leaks in recent months have been used in a similar manner, and then reused and rereleased by hackers hoping to sell the data on to other criminal actors via dumps websites. The Guardian points out that the Russian hacking scare in August, in which security researchers Hold Security claimed hackers had 1.2bn usernames and passwords, was questioned by others as a similar situation to the Dropbox scare. That is to say, a collation of previous credential leaks was combined with other data to look like the haul from a successful, large-scale hacking attack, to inflate the price that could be charged for the data. [Source: Dropbox denies claim that 7m Dropbox logins were hacked, Tuesday 14 October].

Data dumps containing stolen passwords and identities can appear convincingly valuable to less experienced hackers. Further down the cyber crime web, even a few valid passwords for services like Dropbox are the dust that 1849 gold miners panned for (as opposed to the large, shiny nuggets of pure gold). In the case of the data leaked on Pastebin, Dropbox’s team has since revoked any that it found to be valid, so the window of opportunity for would-be hackers was a limited one. The ‘dust’ is therefore fool’s gold, as worthless as iron pyrite.

Should Dropbox users be worried about this development and what can they do to improve the level of their online security?

Two-step authentication: why should we change habits?

Dropbox’s advice is clear: “Even if a website or app has strong security controls, your online accounts can become vulnerable to attack if you reuse passwords or have weak passwords. That’s why we strongly recommend turning on two-step verification for Dropbox and other sites that support it.” [Source: Have you enabled two-step verification? Dropbox Blog.]

Two-step verification is a process involving two subsequent but dependent stages to check the identity of an entity trying to access services. This is the simplest case of a multi-factor authentication, which might involve only one of the three types of authentication factors (a knowledge factor like a password, a possession factor like a USB stick, and an inherent factor like a fingerprint) for both steps.

What is the accepted ‘standard’ for password security?

According to NIST (National Institute of Standards and Technology), a strong password should contain no fewer than 12 characters, a rule adopted by the US government in 2007 and further defined in the US Government Configuration Baseline. Admin passwords should be 15 characters. These lengths have been the recommended minimum for half a decade. Anything shorter is not considered secure. How long is your password, and are you considering strengthening it now?

The international standard for information security, ISO27001:2013, lists a control for password management systems, which states that such systems should be interactive and ensure quality passwords. The Information technology — Security techniques — Code of practice for information security controls (ISO/IEC 27002:2013) provides useful implementation guidance concerning password protection, including:

9.3.1 Use of secret authentication information

d) when passwords are used as secret authentication information, select quality passwords with sufficient minimum length which are:

1) easy to remember;

2) not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.;

3) not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries);

4) free of consecutive identical, all-numeric or all-alphabetic characters;

5) if temporary, changed at the first log-on.

Helping your organization become cyber secure

Large corporations that manage sensitive data should align their information security management system (ISMS) to ISO27001, the international information security standard.

This ISO standard is recognized worldwide and provides a level of assurance to stakeholders that you take information security seriously. Implemented by over 22,000 organizations globally and with a growth rate of 36% in the US last year, ISO27001 is fast becoming one of the most recognized standards worldwide. Not only will it increase security within your business, it also provides a base framework for information security, helping you comply with multiple cybersecurity laws, including HIPAA and FISMA.

Want a little help and advice about information security risks? Are you looking to gain ISO27001 certification in 2015 to put an effective information security management system (ISMS) in place?

You need to ‘Get a Little Help’ – from IT Governance!

Our Get A Little Help ISO27001 package  is a value-for-money package for organizations that already have some management system expertise (with ISO9001, or ISO20000, for instance) and an initial understanding of information security management, the necessary internal resources, and a corporate culture of using best-in-class tools and skills to accelerate learning and implementation, while still essentially following a do-it-yourself approach to project management.

We can help you to implement effective cybersecurity procedures and controls using ISO27001. Spend a minute on our ISO27001 solutions page

Put your detailed questions to our consultants and learn from the experts:

Call us on 1-877-317-3454 today.