Users need to enable 2FA for increased account security

Oct 14, 2014 07:40 GMT  ·  By

After news about a database of almost seven million Dropbox credentials being exposed to the public spread like wildfire, the company issued a statement denying any rumor that the information was accessed illegally from its servers.

On Monday, a list of 420 username and password pairs went public on Pastebin, the poster saying that the total database is 6,937,081 entries long and more would be published if Bitcoin donations were made.

As it was expected, the exposure of such a large list of credentials for a popular file storage service like Dropox created a panic effect among numerous Internet users, especially since the logic conclusion behind all this seemed to be unauthorized access to Dropbox’s infrastructure.

Credentials stolen from other services

Some of the users who tested the credentials confirmed that some of them were legitimate, and indeed, provided access to Dropbox accounts.

However, not all the pairs worked, and the reason for this was not that users changed the keys, but the fact that Dropbox relies on security measures capable to detect suspicious login activity, and in this case, proceeded to automatically reset the passwords, Anton Mityagin from Dropbox security department said.

The expert also contradicted news about the company’s servers having been breached, saying that the credentials had been collected from other web services used by the victims, who had the same username and password for Dropbox, too.

Dropbox may not be the only service the cybercriminals tried the stolen keys on, which puts the negligent at more risk until they change the credentials.

Supplemental security measures should be a standard

This incident is not the only one of its kind. Back in September, close to five million Google Account credentials became public.

Just like it happened in the case of Dropbox, the general belief was that the database leak was the result of a hack affecting Google, but the crooks had collected the information from other services, and because some were recycled, they matched the keys from other accounts.

The recommendation of both service providers and security experts is to turn on two-factor authentication (2FA), where available.

Fortunately, all major web services provide this feature as an additional form of account ownership validation. Most of the times, 2FA consists of providing a validation code delivered by the service provider to the mobile phone of the client, after the username and password have been verified.

Of course, strong, unique passwords are essential for the protection of an online account.

We took a look at the Dropbox credentials database and most of the passwords consisted of a string of lower case letters or numbers; a combination of the two was also observed, and in very few cases, there were some strong countersigns that combined upper and lower case letters with numbers.