Why Dropbox’s data breach response is still wrong

When it comes to telling your users about security incidents, fess up, speak directly, and assume things are worse than they appear.

One day Dropbox may well get its head around the best-practice methods for handling customer data breaches, but today is not that day.

News broke on Tuesday that details of 68,680,741 user accounts had been found online, apparently the result of a data breach back in 2012. The files reportedly contained the users' email addresses, plus their salted and hashed passwords.

Dropbox's response was to email the affected users, who could be forgiven for not realizing it was about a data breach.

"Resetting passwords from mid-2012 and earlier," was the subject line.

"We're reaching out to let you know that if you haven't updated your Dropbox password since mid-2012, you'll be prompted to update it the next time you sign in. This is purely a preventative measure, and we're sorry for the inconvenience," the email read.

"To learn more about why we're taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at password-reset-help@dropbox.com."

If users did click through, they'd had to have scrolled down four sub-headings before they were finally told there'd been a data breach -- and even then, it was only after yet more softening of the message.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."

I reckon there's a few problems with that messaging, though I'll come back to that. There's more to worry about.

First, there's a problem with the secondary authentication protocol: it isn't being used.

Assume for the moment that the bad guys have obtained a user's password. They can log in to Dropbox. Then, if they're forced to change the password, this is what they see.

 

dropbox-password-dialog

(Image: Dropbox)

The bad guys enter a new password, and it's game over.

What should happen? The secondary authentication protocol should be brought into play. For Dropbox, that's the user's email address.

Once the user has entered the old password, they should be emailed a one-time time-limited token, one of those emails that says "Click here to enter you new password". That way the bad guys need to have gained access to the user's email account as well. Not perfect, but a significant additional hurdle.

Second, even when a user does change their password, Dropbox says that any logged-in sessions on other devices will still be active -- and that would include any sessions created by the bad guys before the user changed the password.

What should happen? When there's any suspicion that an account may have been compromised, all logged-in sessions should be logged out immediately. When the user logs back in, they should be forced to change their password immediately -- not merely prompted to do it when they get around to it.

OK, sure, in this particular instance Dropbox says their threat monitoring and password storage strategy give them a clean bill of health. So far, we have no reason to doubt that.

But Dropbox has form.

In 2014, Dropbox waved away security concerns, despite having written that "there's nothing more important to us than keeping your stuff safe and secure".

In 2012, Dropbox clearly failed to reset everyone's passwords after a potential data breach. If they had done, they wouldn't be asking users to reset them now, right?

And in 2011, Dropbox left a bunch of users' files open to the internet, yet brushed away concerns by claiming it was only "a very small number of users (much less than 1 percent)" who might have been affected. That's no consolation if you were one of them.

Dropbox, like so many other organizations, is presumably worried that users will be scared away by security breaches, so they soften the language. But experience and research show that when it comes to data breaches, owning up actually increases trust.

So here's how I'd have handled Dropbox's latest problems -- apart from fixing those secondary authentication and session management problems.

"Security Message", I'd have written in an email to every user, having previously shoved the PR and marketing teams into a canal.

"We've had a security problem. So far our investigations suggest that your account hasn't been accessed by anyone else. See below for the details. But to be sure, we need you to reset your password. It might also be a good idea to turn on two-factor authentication (2FA)."

I'd list the steps users need to take, and then the rest of the details -- including the steps we'd already taken to investigate and rectify the problem, and when we'd be emailing them an update.

Yes, I'd say "problem" not "issue", because that's what it is. And yes, I'd email every user, because why not? It builds trust.

One day Dropbox should start paying attention to this sort of best-practice advice, and today is that day.

No Comments Yet.

Leave a comment

%d bloggers like this: