Dropbox’s security chief has urged users to ensure they have unique passwords as hackers frequently target customers by using passwords gathered from data breaches at other websites.
Patrick Heim, head of trust and security at Dropbox, said this was the biggest threat to users, rather than sophisticated zero-day exploits or malware-driven events.
“On a daily basis it’s very obvious that our customers and users are getting attacked, and the way they are being attacked isn’t through technical wizardry,” he said at a briefing attended by V3.
“We don’t see zero-day attacks targeting us. What we see is password testing because of password reuse.
“The number one challenge is consumers reusing credentials across multiple websites, and we see a pattern where websites will get hacked, they may not even know it, and then encrypted passwords are stolen.”
Heim went on to explain that stolen passwords can be rapidly decrypted in an almost industrial fashion, where they are then bulk tested against websites and cloud storage services to eventually cause a breach.
Heim said that pretty soon after a password hack, Dropbox can see testing activity on its users’ accounts as cyber criminals and opportunistic hackers try to put the decrypted passwords to use or sell them to other criminals.
To avoid such a situation, Heim advises against using the same password for multiple sites and services, and said that people who struggle to remember multiple passwords should use password management tools and two-factor authentication.
“Quite frankly, if you do those three things you’re in pretty good [security] shape as a consumer,” he said.
However, Heim noted that persuading people to adopt these three steps is another challenge all together. “Changing the mind set of consumers is very difficult, and doing the consumer outreach is tough,” he said.
Dropbox is working on ways to persuade consumers to go through a security ‘health check’ to ascertain the levels of authentication and data sharing settings they use with their accounts, and will reward those who go through the check with free storage.
Security is a major area of focus for cloud storage companies. Dropbox recently launched a bug bounty programme offering $216 per identified flaw, and added ISO 27018 cloud security classification into Dropbox for Business.
Journalistic source: http://www.v3.co.uk/v3-uk/news/2415681/dropbox-security-chief-highlights-dangers-of-lax-password-practices?utm_source=Noticias+UNAM-CERT&utm_campaign=ab0fa2023f-&utm_medium=email&utm_term=0_b70c95a6be-ab0fa2023f-201565341&ct=t()