What Can We Learn from the Dropbox Security Blip?
In case you missed it, on June 20, 2011, Dropbox experienced a security flaw for almost four hours that allowed anyone to log into anyone else’s account without a password. The official story is that it was a “bug affecting [the] authentication mechanism.” Dropbox said that it only about 1 percent of its user base was active at that time. But is this glitch indicative of a larger issue? Read on for a little insight into cloud services, security and an expectation of data privacy …
Dropbox’s official blog, in which it admits to the flaw, is filled with comments ranging from nearly indignant outrage to indifference. A majority of people seem more upset that Dropbox would so calmly and coolly post a blog, without so much as an e-mail to its user base. In response to outraged users, Dropbox dug deep into its logs and e-mailed all users with data that was accessed during the vulnerable time period with a list of activity details.
Dropbox’s official apology is as follows:
We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates.
But the real ire from the Dropbox community comes form how the flaw was discovered, which was mainly by accident from a user who was making sure his existing passwords were secure enough. Dropbox’s response to a support e-mail was less than stellar:
there was a very brief glitch and this should never happen/be possible again. thanks for the email. -arash
So what can we learn from the Dropbox flaw? I think it’s just common sense: If you have really sensitive information and you’re keeping it in the cloud, you might want to reconsider or encrypt that information before you upload it, even if the cloud service you use encrypts it, too. You can’t be too careful. You also can’t expect your data on the Internet — no matter which company is storing it — isn’t susceptible in some shape or form. Be aware of the risks, and don’t act so disgruntled if and when a security breach does occur. Take some personal responsibility for your data. That being said, it’s not a free pass for security companies to add my previous sentence to their EULA disclaimers. If a cloud service wants to be taken seriously, security should be priority No. 1.
Meanwhile, I’ll continue to use Dropbox (because hey, it’s not costing me anything for those 2GB, so thanks!) and continue to apply that same common sense. If you’re serious about cloud backup, there are far bigger and better options for more sensitive information, and the really sensitive stuff you might want to keep under lock and key.
Dropbox’s real issue moving forward isn’t security problems, it’s lack of trust by its customers, and that’s something you can’t patch with software.