This post was originally published on October 17, 2014.
Snowden called it, apparently. In a recent interview, the NSA whistleblower warned cloud storage users to avoid Dropbox because the service doesn’t use encryption. Now, links to hundreds of Dropbox usernames and passwords have appeared on a Reddit thread, with a call to donate Bitcoins if interested parties want to see more.
But the company says their servers are safe, instead pointing the finger at third-party services and reused passwords. So what’s the bottom line — is Dropbox nothing more than soggy cardboard, or a convenient target for leak scams?
“Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts” says a Pastebin message in one of the leak threads. “More to come,” it promises, “keep showing your support.” According to The Next Web, Reddit users allegedly confirmed the hacked credentials were legitimate, but had no way to tell if Dropbox was to blame.
It’s not difficult to see possible hack architecture here: as noted by Edward Snowden, the cloud service is light on encryption. Although they’ve beefed up their service to include encryption for files on their servers and in transit, they don’t offer any kind of protection for files on user computers. More importantly, Dropbox has both user data and passwords on-hand; other services like SpiderOak say they keep no readable version of this information on their machines. This means a Dropbox leak could have happened at either the user end or if hackers gained access to company servers — Dropbox maintains this never occurred.
Pointing the finger
When news of the leak went public, Dropbox reset all user passwords. Then, they released a statement to Techly, saying “Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.” These “other services” remain a mystery, however, since Dropbox has no idea where the credentials came from. The service does say that most of the passwords posted were already expired, and a follow-up post on the company’s blog shifts some of the blame to users, saying “we strongly encourage users not to reuse passwords across services.”
So what’s the final verdict? Was Dropbox really hacked? As it stands, the answer appears to be “no” — and even if it were true, no one seems interested in paying for more leaks, since donations to the hacker’s Bitcoin address are stalled at around five cents.
But here’s the thing: real or fake, from Dropbox or some other site, this leak speaks to a common concern. Is your data ever really safe?
Not exactly rare
Dropbox isn’t alone in the cloud breach gang. Who can forget the recent iCloud celebrity picture thefts or “The Snappening”, which saw thousands of illicit Snapchat photos and videos posted online. Some critics have taken to calling down users for trusting cloud services in any form, and certainly the Snowdens of the world agree: keeping all of your data offline is the safest possible option.
It’s also a tall order. We’ve become accustomed to on-demand file sharing, instant access to photos,videos and all manner of communication. Asking the average user to stop using cloud services is like asking them to put down the smartphone and have a full-length dinner conversation; it could happen, but it wouldn’t be fun for anyone. And sure, services like Spider Oak offer better protection than your “typical” cloud storage provider but given the sheer amount of data users are willing to share, save and transmit online, hackers can always find a way through.
Unless you’re anonymous. Sure, use cloud storage and shop online, but instead of doing it under your own IP address use our secure VPN service to cloak your actions from prying eyes. Think of it like a “tunnel” between your computer and the Internet at large, protected by 256-bit encryption. In effect, you’re invisible: hackers see only our IP address and no one can snoop on your Dropbox passwords or hot Snapchats, even if you’re using a public WiFi hotspot.
Did Dropbox get hacked? Maybe. Is it vulnerable? Absolutely. Don’t trust soggy cardboard; get your data a steel cage.