Many Dropbox users may have been surprised to receive a prompt when they signed into their cloud-storage service account: “Choose a new and strong password.”
In a blog post to users, of Dropbox spoke of the company’s forced password reset. The reset specifically applies to individuals who joined Dropbox “prior to mid-2012 and haven’t changed your password since.” Heim stated that this was a precautionary measure in light of a previous incident in which the passwords from 68 million accounts were stolen. How this current password change relates is that the Dropbox “learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords)” that were obtained in the 2012 hack.
As for the actual users in potential danger of a hack, Heim recommended changing to strong passwords. The company provided a “password strength meter” to guide users during the reset process. Additionally, the blog post encouraged Dropbox users to enable two-factor authentication, which Dropbox defines as utilizing text messages (I don’t personally recommend this), mobile apps (again I think this is a bad idea), or a security key (this is absolutely what you should do).
This incident is of some potential embarrassment to Dropbox, as the company felt that the 2012 hack was already dealt with. With this resurgence of focus on old account data, one has to wonder if the statement “we’re doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed” is factual. How can Dropbox not know that there has been illegal access to user accounts from an old hack? Someone in the security division really dropped the ball here, as only an slipshod investigation into the breach could have caused this.
To the company’s credit, however, it is engaging in a more forward-thinking security practice. Heim states at the end of the blog post that Dropbox is utilizing “a broad set of controls including independent security audits and certifications, threat intelligence, and bug bounties for ethical hackers.” The best way to ensure, at least in my opinion, a truly strong network security system is getting help from third-party sources. Internal IT divisions can be blind to their own coding errors (or any other vulnerabilities), as any penetration tester will likely tell you. By using independently contracted hacking and InfoSec professionals, there won’t be as much of an issue of egos impeding security.