Expert: Dropbox leak highlights password security dangers

NEWYou can now listen to Fox News articles!

Hackers’ attempts to target Dropbox this week underline the need for consumers to tighten their password security, warns a cybersecurity expert, who also urges cloud service providers to better educate their customers.

“It’s a shared responsibility - the providers’ responsibility is to protect the service, but the users’ responsibility is to protect their credentials,” Tal Klein, senior vice president at Palo Alto, Calif.-based cloud security specialist Adallom, told on Tuesday. “Every time you put data in the cloud, you need to do a quick summation of how valuable the data is and how it should be protected.”

Hot on the heels of last week’s news that hackers had obtained a vast haul of Snapchat images, hundreds of alleged usernames and passwords for cloud storage provider Dropbox were posted on the website Pastebin on Monday. In the post, an anonymous Pastebin user claimed that almost seven million Dropbox accounts had been hacked and offered to publish more in return for Bitcoin payments. A second post of about 100 alleged Dropbox usernames and passwords appeared late Monday.

The claims prompted a response from Dropbox security engineer Anton Mityagin in a blog post on the company’s website on Monday. Dropbox, he explained, had not been hacked. “Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” wrote Mityagin. “Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”

Mityagin added that Dropbox has measures in place to detect suspicious login activity and automatically resets passwords when that happens. Dropbox also strongly encourages users not to reuse passwords across services, according to the engineer. “For an added layer of security, we always recommend enabling two-step verification on your account,” he added.

In a subsequent blog posting early Tuesday, Mityagin said that the second list anonymously posted on Pastebin does not contain usernames and passwords associated with Dropbox accounts.

While it’s still unclear where the hacker obtained the usernames and passwords, Adallom’s Klein says that the latest security brouhaha should serve as a password security warning to consumers.

In particular, users should avoid re-using passwords. “We need to start thinking about our experience in cyberspace as having the same parallels to real life,” he told “You wouldn’t use the same lock and key on your house as you would on your car.”

Klein also urges users to employ “complex,” also known as “strong,” passwords.

Microsoft defines a strong password as at least eight characters long and containing a combination of uppercase and lowercase letters, as well as symbols and numbers. The password should also not contain complete words, according to the software giant, which urges consumers to avoid user names, real names and company names.

Password management has been in the spotlight recently, particularly after a news report in August that a Russian crime ring had stolen 1.2 billion password and username combinations.

Set against this backdrop, Klein believes that cloud service providers like Dropbox have a big part to play in improving their customers’ cybersecurity knowledge. Providers, he told, should carefully explain complex passwords and how to use two-factor authentication.

Unlike the Dropbox attack, which targeted unrelated services, the Snapchat leak involved third-party apps. Like Dropbox, Snapchat also said that its servers were not hacked.

Roger Kay, president of Wayland, Mass.-based research firm Endpoint Technologies, told on Monday that the Snapchat leak may indicate that some hackers are shifting strategy.

“It actually reminds me of an earlier era of hacking when people did it for notoriety rather than profit,” he said. “Most of the real crooks just want bank account numbers.”

Follow James Rogers on Twitter @jamesjrogers