Sunday afternoon Dropbox made a code update to their system that disabled their authentication mechanism.They left the front door unlocked for 4 hours. If you knew an account holder’s username, any password you typed in would unlock the account. Dropbox claims less than 1% of users logged in during that period time and those users have been contacted. I was one of them. In my case, I remember logging in to my Dropbox account on Sunday afternoon, although I don't recall the specific time. I just received my MacBook Air back from the Apple Depot and as an additional security precaution thought it would be good form to change the passwords to my most sensitive services. Dropbox sent me an email letting me know that my account was logged in during the time of the breach, but because I accessed my account during that time, I now have no way of knowing whether the access was just my access or whether anyone else logged in to my account as well. Thus far, it doesn't appear that Dropbox can tell whether an account was accessed with an inappropriate password. Though it appears that none of my data has changed. Aside from their initial blog post, Dropbox has provided no official information as of the date of this post. As a security precaution, I changed my password again as soon as I learned of the breach.
In my last post, ironically posted during the time of the security breach but before it became public knowledge, I commented about how I stored my entire Documents folder on Dropbox and how this act saved the day when my Air suddenly died and required service. We also sung the virtues of Dropbox on Mac Power Users Episode 47 and I explained how I implemented my system of creating a symbolic link to my documents folder in Dropbox. (It should be noted that I've cleaned out my Documents folder so that it truly only includes Documents.)
What to do now? I’m still going to use Dropbox, but I am going to be more aware of what's in there. Dropbox is simply too convenient a service for me to stop using it and my workflow has become too depending on it. I have never stored confidential information in Dropbox unencrypted. While I wouldn’t want anyone reading the contents of my Documents folder, it contains mainly word processing documents, spreadsheets and presentations, no financial or client confidential information.
Someone asked me if I was going to continue to use Dropbox sync for applications like 1Password. Yes, because the 1Password database is additionally encrypted within Dropbox, the file itself is useless. My guess is the 1Password folks will review this incident and discuss it further in their blog.
The reality is these security breaches are going to happen because the people who run these systems are human, and humans make mistakes. I will not vilify them, but I do expect them to learn from the experience and implement better security and testing procedures. Am I upset? You bet. But hammering out an angry blog post will serve no productive purpose. I expect changes are already in progress at Dropbox to ensure this type of embarrassment does not happen again, however their reputation has been tarnished. I am also concerned this accidental incident may make Dropbox a bigger target for malicious attacks.
We as users must take a hard look at the services that we take for granted and take better steps to control our own privacy and security, we can't count on companies to do this for us. While we have no control over what happens at the corporate and the sever level, there are things we can and must to do protect our information:
- Do not store confidential information in the cloud unencrypted
- Use strong passwords and change them frequently
- Read and understand the Terms of Service for the services you use
- Stay on top of what the company is doing