Dropbox password breach highlights risks of free storage services

Security engineers and analysts have heralded the revelation that Dropbox has been hacked again as proof UK businesses need to stop trusting free, consumer services with their data.

Cloud storage provider Dropbox admitted to suffering a fresh security breach on Monday.

The breach resulted in a number of customers receiving spam email messages. The attackers reportedly got access to the customers' data by hacking into a Dropbox employee's email account.

Security researchers have since attacked Dropbox's lax attitude towards passwords security, with Trend Micro security chief Rik Ferguson telling V3 that he was concerned by several aspects of the incident.

"Firstly, a Dropbox engineer was using live customer information in a ‘project document'. This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised," he explained.

"Secondly, Dropbox chose to inform their customers with an email notification containing a link to reset their password. This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a web site to enter any kind of credentials."

Ferguson's sentiment was mirrored by Kaspersky's security researcher David Emm, who argued that it's still too early to tell what damage the hack has done.

"On its blog, Dropbox says that ‘usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts'. This would suggest that the cause of the problem was not a breach of Dropbox systems and that it didn't affect many of its customers," Emm told V3.

"Nevertheless, for anyone involved, it's always bad for a password to fall into the wrong hands - however it may happen. The problem is compounded where the same password is able to unlock multiple online accounts belong to the same victim."