Dropbox gets a black eye in spam attack

The Dropbox file-sharing service suffered a setback in its efforts to move into the enterprise more forcefully after being hit by a spam attackthat stemmed from the breach of an employee's account.

Dropbox confirmed Tuesday that a stolen employee password led to the theft last month of a "project document" that contained user e-mail addresses. With addresses in hand, the hacker then proceeded to spam European users of the cloud-storage service with ads for gambling Web sites.

In investigating the theft, the company found that usernames and passwords stolen from other Web sites were used to access "a small number" of Dropbox accounts, an indication that account holders were using their credentials on multiple sites. Experts consider that practice a serious security risk, because hackers often use stolen credentials to enter other services.

[See also: Dropbox blames employee account breach for spam attack]

Although some spam recipients claimed to use unique email addresses for Dropbox, the company said its investigation showed its internal systems had not been hacked. Nevertheless, the spam attack has not helped the company in its efforts to be seen as more than just a free consumer-oriented service. That effort started last year with the launch of a paid business service called Dropbox for Teams.

"I am doubtful that they are enterprise-ready at this time," said John Kindervag, analyst for Forrester Research. "Their focus and incentives are not yet properly aligned."

Others agreed that Dropbox still has a ways to go. "Dropbox has had a checkered history with security, but perhaps this was the wakeup call they needed," Chester Wisniewski, senior security adviser for Sophos, said in an interview via email.

Dropbox has said it will beef up security in light of the breach. The company soon plans to introduce a number of new controls, including two-factor authentication in which a temporary code would be sent to a user's mobile phone.

Other security upgrades include a new page that shows logs of user activity and other automated mechanisms for identifying suspicious activity. Dropbox may also start prompting users to change passwords that have been in use for a long time.

While Dropbox's security plans are likely to be welcomed, the bigger problem for businesses is that workers use such cloud-based services -- without a corporate okay -- to store sensitive documents that could violate compliance laws or internal data privacy rules, Kindervag said. Dropbox would not be the place to store such information, because the site doesn't provide businesses with adequate levels of control, such as auditing of data and tracking who got the information and what was done with it.

"While I certainly understand that users often feel like they need to do things to get their job done, they need to think about the security implications," Kindervag said. "Dropbox, from my perspective, is a very consumer kind of solution."

Despite the security risks, more employees in the future are expected to use services, mobile devices and other new technologies outside the control of IT departments. Gartner predicts that in less than three years, 35% of enterprise IT expenditures will occur outside of the corporate budget. As a result, many experts advise companies to abandon their command-and-control strategy and adopt a more cooperative tactic to deal with workers looking for the easiest way to get their jobs done.

Dropbox's changes should improve security to users' accounts, and other companies such as Google, Facebook and Microsoft, have already implemented many of the same features, Wisniewski said. As an added precaution, users of cloud-based storage should rely on tools, available from security vendors, for encrypting data before it is stored in the cloud.

"Personally, I don't store anything in the cloud that I wouldn't want publicly accessible unless it is encrypted," Wisniewski said.

Dropbox is one of many free or low-cost file-sharing services available to consumers and businesses. Competitors include ADrive, Box.net, Flickr, Carbonite, Google Gmail, Mozy, SugarSync and YouSendIt.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place