You may be reading headlines like this one from the Daily Mail, “‘Your stuff is safe’: Dropbox denies hack after anonymous post claims it has the personal details of up to 6.9 MILLION users” , about another large cache of users falling prey to
hackers attackers [Steve Gibson – bringing back attacker instead of hacker]. However, this is a good example of a couple of issues that we need to all remind ourselves of in these heady times. One, not all headlines of reported hacks are what they seem to be. There are groups that want salacious headlines to occur for a number of reasons: to chum the waters for phishing attacks; bring attention to a security companies security products; link baiting for a website. I won’t pretend to know what the reasons are for this group to report the event. DropBox has denied that their user accounts have been compromised and I believe them. It is in their best interest to admit that an event has occurred. This is the first rule of responding in a crisis management event – get the truth out quickly and over communicate. This is what builds trust even in a crisis where you are responsible. Not to link bait myself but the CDC could apply this to their handling of the Ebola crisis.
Second, it is a reminder for users who still use the same password in multiple sites that they are at risk. The current theory on this event is that this group have used a subset of user accounts purchased on nefarious sites at DropBox and found a set of accounts where the username and password were successful on DropBox. Here is a quick reminder on what not to use for a password taken from Ms. Smith, Network World on Top 25 Most Common Passwords here.
So what can you do? If you are using the same password across multiple sites you have two choices. One, use a password manager like LastPass, or one of the other password management tools I have covered in this blog post here. Two, if you don’t want to pay for those services then do yourself a favor and choose three passwords. Use one very secure password on all your banking and financial sites, use one at work, and then one that you use on all your other news or web accounts.