The huge Dropbox password leak that wasn't

[steven36]

Don't believe everything bad you read on the internet.

 

 

A lot of people use Dropbox.

A lot of people put a lot of valuable, sensitive and personal data inside Dropbox.

A lot of people make the mistake of not encrypting their valuable, sensitive and personal data before they put it inside Dropbox.

Which all adds up to a whole heap of trouble if Dropbox suffers a data breach.

 

 

Fortunately, as Brian Krebs reports, recent claims from identity theft protection firms that Dropbox has suffered a massive password breach appear to be erroneous.

 

Troy Hunt - who knows a thing or two about verifying and responsibly disclosing data breaches - also chimed in, decrying that some had jumped to the conclusion that a serious breach had occurred without an attempt to independently verify, or even consult Dropbox itself.

 

Instead, the data swirling around the net appears to be derived from the mega breaches at Tumblr, LinkedIn and MySpace that have recently been in the spotlight.

 

Of course, if you were making the mistake of using the same password in multiple places - for instance, the same password for Dropbox that you use at Tumblr - then yes, you would be wise to change them.

But that's far from claiming that Dropbox has suffered a huge password leak. Because there is no evidence to suggest it has.

 

Nonetheless, with so many mega-breaches making the news, there's certainly no harm in hardening your security and - for instance - enabling two-step verification on your Dropbox account to make it harder for hackers to break into.

 

I don't mean to suggest that Dropbox is immune from making security blunders, of course.

 

For instance, in 2012 one of its employees had his password stolen, and spammers managed to steal a database containing the email addresses of users.

 

And the year before, the site dropped a huge clanger - accidentally turning off all password validation for about four hours. That meant that anyone was able to access anyone else's Dropbox account using any password.

 

Sheesh. Now do you see why I recommend encrypting your files before uploading them to Dropbox? It's not just about stopping Dropbox or a government agency snuffling through your files - it's in case Dropbox makes another goof like that in the future.

 

The Source

 

 

[straycat19]

A perfect example of a security researcher crying wolf.  Too many times  false reports are made of threats that really aren't but make for headlines for the security firms and individuals.  Usually they are either very isolated or simply concepts and not the big threat they are made out to be.  If 1,000 people get hit by a ransomware, is it really that big a threat when in context that is 1,000 out of the 3.5 BILLION computer users in the world today.  You stand a better chance of winning $500 Million in the lottery than getting the ransomware.  That is why I don't take all these security alerts seriously.  In my lifetime I have personally owned over 200 computers, supported over 3 million, and had access to twice that many and have never seen a massive infection by any threat.  The largest I ever saw was 25 systems with the blaster worm on a network of 15,500 computers.  It took 30 minutes to image the 25 systems remotely and they were back up.  They will never quit writing about these things because that is how they make their living but in reality they are just fairy tales, just like the stories of Chicken Little or the Boy Who Cried Wolf.

[vibranium]

21 minutes ago, straycat19 said:

Too many times false reports are made of threats that really aren't but make for headlines for the security firms and individuals.

 

Absolutely. There are many news releases by security consultancies and IT firms where the hidden message is: you need us to survive in this jungle. Then you find that the facts have been stretched...

[Pequi]

3 hours ago, vibranium said:

Absolutely. There are many news releases by security consultancies and IT firms where the hidden message is: you need us to survive in this jungle.

Or worse, that you should use "two-step verification" to "secure" your account.