Authentication , Data Breach , Risk Management
Company Spokesman: 'It's Important to Vet Breached Data Carefully'Dropbox, the widely popular web storage service, became caught in the crossfire of the latest mega breaches when several identity theft services recently misreported that its credentials had been leaked.
See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations
Blogger Brian Krebs first revealed that a batch of data advertised on underground websites and labeled as Dropbox credentials actually came from Tumblr's breach. The situation illustrated how not being careful in verifying breaches can lead to an embarrassing mixup.
"Based on this experience, I would caution everybody not to jump to judgment around some of these alleged data leaks until they've actually been verified by the experts," says Patrick Heim, head of Dropbox's trust and security, in an interview with Information Security Media Group.
In late May, the identity theft protection company LifeLock alerted its subscribers to a Dropbox breach, based in part of on information supplied to it by CSID, another company that specializes in identity theft intelligence.
"Quite frankly, it was false," Heim says.
Dropbox had actually obtained the raw Tumblr data through confidential channels two months before that data - labeled as Dropbox's - was publicly posted on Twitter by a Russian hacker last month. "We actively pursue identifying information that may indicate there's risk to our users," Heim says. "We vet that information and take the appropriate action."
On June 8, LifeLock apologized to Dropbox, writing that "as any cybersecurity expert will tell you, determining the source of credentials can be a complicated business, made only more so by the nefarious parties involved."
'Slightly Nervous and Paranoid'
Dropbox has been carefully watching the events of the past few weeks. Upwards of 630 million credentials stolen years ago from LinkedIn, Tumblr, Fling, MySpace and Twitter were put up for sale on underground markets (see 'Historical Mega Breaches' Continue: Tumblr Hacked).
"I think a good security professional is never overly confident and always slightly nervous and paranoid," Heim says.
Dropbox, which counts 1 billion users, has a team that analyzes data dumps to figure out if its users will be impacted. There's a lot of intentional obfuscation in the world of hackers and data dumps, Heim says.
For example, Dropbox's team recently spotted a file first seen in 2014 purporting to be its users' credentials recently reposted again for sale. Heim says this time, it had a new bitcoin address for payment. Often, hackers obtain data they didn't actually steal and then offer it for sale, he says. "It's the underground scamming the underground," he says.
As far as the latest breaches, Heim says nothing has dramatically changed. But he does suspect the data releases are fueling targeted phishing attacks. Most of the breaches have included email addresses, which are perennially useful for hackers.
Preventive Measures
To guard against account takeovers, Dropbox uses a system that analyzes authentication attempts and looks for signals that someone may be using automated tools to try many combinations of credentials, Heim says. The company will also proactively prompt users to reset their passwords if certain accounts appear at risk.
Many services - including MySpace and LinkedIn - have said that their breaches occurred prior to technical changes they made to lessen the impact of a data release, including stronger hashing algorithms for passwords and salting. Salted password hashes have more random data added, which makes the hashes more difficult to crack.
Heim says he doesn't want to give away too much detail about Dropbox's security, but said it does use strong hashing algorithms. If there is a breach, the data would be, for all practical purposes, useless, he contends.
The company is also studying ways to encourage more users to employ two-factor authentication, which typically involves entering a one-time passcode in addition to a username and password. Less than 1 percent of Dropbox users have two-factor authentication enabled.
"That is a number we really, really want to drive up," Heim says.