Dropbox Finally Admits It was Hacked, Blames Careless Users

Call this a teachable moment. Dropbox, the red-hot cloud storage service admitted on Tuesday that it has been hacked. How many accounts were compromised and what data may have been stolen isn’t known, or if it is, Dropbox isn’t saying. So what’s the lesson here? There are two:

• No matter what vendors tell you, cloud storage isn’t, and probably never will be, completely secure.  
• Users who still haven’t figured out that using one password on multiple sites isn’t smart are simply asking to be hacked.

The Dropbox hack began to surface in mid-July when users of the file storage service noticed that they were getting spam directed to email accounts they only use to access Dropbox. That was an obvious tip-off that the leak was inside Dropbox.

Once users began to post complaints about the spam to an online discussion forum, the company investigated. As late as last Friday, the company said it had no evidence of a hack. That story changed radically on Tuesday when the company announced this via a blog post by Aditya Agarwalm, the company’s VP of Engineering:

“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”

Notice what’s going on here. On the one hand, the company is admitting that its security was lax. You know that because further down in the post is a list of four new things the company is doing to plug its leaky defenses. Then there’s this:

“At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk.”

The last point is a good one. I have a friend who stores important documents in Dropbox, uses passwords over and over again, and keeps track of them in an unencrypted text file. Her security strategy: “I don’t name the file ‘passwords,'” she told me.

I won’t embarrass my friend by printing her name, but she’s the kind of user who opens the door to hackers. As the company points out, there are a number of tools you can use that will generate strong passwords and make it easy (and quite safe) to keep track of them. I use LastPass; Dropbox recommends iPassword.

The bottom line: Dropbox needs to forget that it’s hot and trendy and remember that it won’t stay successful if it doesn’t do a better job of keeping its users safe. And users have to act like responsible adults and take responsibility for their own security.