Can you believe it? Even after everything we know about “hacking” and access management, companies are still falling victim to inside jobs and poor Identity access points. The latest comes from file storage and file sharing company, Dropbox. It traces its origin all the way back to 2012 when the company initially disclosed that user emails were the only data stolen, however, it’s much worse than that. It all seems to have stemmed from an actual employee Dropbox account allowing easy access to the data!
The exact statement made:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
The employee’s password was obtained and it ended up being used to access a document that held massive amounts of email addresses. Now because Dropbox stored user passwords “hashed and salted” it appears that the hackers were only able to gain access to hashed files of Dropbox user password but were not able to crack them….it’s taken this long to figure out that more information was actually gained access to than believed, 4 years ago.
Sources say that on top of the emails disclosed in 2012, a large amount of associated passwords were taken. During the time of the breach (or inside job), Dropbox was actually shifting from using the “hashing function SHA-1” and replacing it with a more advanced “bcrypt” script. Despite the fact that these passwords were shot out to the “dark web,” it doesn’t seem that the hash protections have been cracked.
The hackers used the employee password, which was reused from the LinkedIn breach, to gain access to Dropbox’s corporate network and lift user credentials. So it’s not 100% the fault of Dropbox but the breakdown in security standards within the company emphasizes the pitfalls of re-using passwords across online networks. Now, this happened in 2012 when Dropbox was just an emerging organization and since then the company has upped its security standards. In the end though, it is interesting that not only have they been relatively vague regarding this massive breach but also that it has taken so long to “come out in the laundry”. …another major reason to be watching companies focused on blocking improper identity access.