Dropbox Data Breach Reported But Details From Cloud Company Suggest Otherwise
According to some users of Reddit, almost 7 million Dropbox accounts holders have had their username and password security combinations acquired by hackers. A few of these have so far been listed on a Pastebin page that is publicly available for anyone to view.
There are messages on Reddit confirming that some of the Dropbox cloud customer accounts can indeed be accessed using the stolen security data. In all, 6,937,081 accounts are said to have login details in the possession of the hackers and they are planning to release them in troughs. They have even asked for Bitcoin donations ahead of the second information release.
Dropbox Say They Were Not Hacked
From there though the situation becomes a lot more murky. Dropbox, one of the leading consumer cloud storage companies, has said that they have not been hacked at all.
They point out that the usernames and passwords combinations in question where stolen from third party services that can be granted permission to access Dropbox (e.g. like a mobile app that uses the Dropbox cloud to store customer files). The Dropbox team have previous seen these attacks and the majority of passwords posted so far on Pastebin already have expired and were out of use for a while now. Other passwords that could be released subsequently have also expired.
With these kind of things the definition of whether a service has been hacked is becoming a bit unclear when we're in the land of he said, she said. There are frankly so many data breaches happening in 2014 that it is difficult to keep up with what is going on with security.
When Is An Account Actually “Hacked”
If users have accessed Dropbox via third party apps that had poor security, piggybacking off that to get login credentials for the cloud accounts, can one say that the cloud provider was hacked? Or was it just the fault of the app creator for not ensuring better security with their Dropbox integration coding?
Similarly, Apple said that they were not hacked, people just repeatedly guessed at login information until they hit pay dirt. As there was no lock out after several incorrect login attempts, was Apple at fault? Can they say they were never hacked? Celebrities who trusted them with their personal photos would most likely argue that they were hacked otherwise why are their private photos which were in the iCloud but now out there for anyone to see?
Ultimately, customers care about whether their data is safe. They are not too interested, if at all, about the whys and hows of a data breach. They just wish to know whether it is time to change their username and password to protect themselves and if they have to worry about something private getting out.