Dropbox urged to reset all its users' passwords in wake of breach
Security experts claim file sharing site's post-breach guidance could leave users exposed to further attacks.
Dropbox has come under fire from a slew of IT security experts for the advice it has given users in the wake of this week's password breach.
As reported by IT Pro yesterday, the online file sharing service confirmed this week that some users' passwords had been stolen and used to access their accounts.
The bottom line is, when you have a breach, always assume the worst case scenario.
The affected users were then bombarded with spam, which was sent to the email addresses they had used to set up their Dropbox account.
Dropbox claims the passwords were obtained by hackers that had compromised other sites, which suggests they preyed on people who use the same login details across multiple sites.
The firm has since advised affected users to change their passwords, but Rob Sobers, technical manager at security vendor Varonis, said the company should reset all users' details as a matter of course.
"[Dropbox] are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached yet," he asked.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Citing the recent LinkedIn data breach, which resulted in 6.5 million of the site's users having their passwords published on a Russian web forum, Sobers said sites should be wary of taking the data hackers publish at face value.
For instance, just because a hacker publishes millions of passwords, that does not mean that's all the data they have.
"The bottom line is, when you have a breach, always assume the worst case scenario," said Sobers.
"Dropbox may be risking another breach from the same attack by [not] forcing a [widescale] password reset. That's a really curious decision.
"Needless to say, if you're a Dropbox user, go reset your password," he concluded.
Meanwhile, Grant Taylor, vice president for Europe at security vendor Cryptzone, said the Dropbox breach is proof that companies should not be storing corporate data on its servers.
"We would go further and argue that people should not be using Dropbox for many business purposes," said Talyor.
"Free services, by their very nature, don't have the features to facilitate corporate control and management."
Caroline Donnelly was the news and analysis editor of IT Pro. Previously, she worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.
-
ITPro is 20!We take a look back on the past two decades since ITPro launched...
-
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaignNews The tie-up includes a new model of industrialized ransomware deployment that significantly lowers the barrier to entry for cyber crime
-
We need to do something about passwordsPasswords are a fundamental aspect of access security, but recent password leaks have undermined their ability to protect data
-
Dashlane lifts the lid on attack that saw hackers download encrypted user vaultsNews The company said it has now informed all affected customers, and taken action to shut down the operation
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations