Why Dropbox's data breach response is still wrong

When it comes to telling your users about security incidents, fess up, speak directly, and assume things are worse than they appear.
Written by Stilgherrian , Contributor

One day Dropbox may well get its head around the best-practice methods for handling customer data breaches, but today is not that day.

News broke on Tuesday that details of 68,680,741 user accounts had been found online, apparently the result of a data breach back in 2012. The files reportedly contained the users' email addresses, plus their salted and hashed passwords.

Dropbox's response was to email the affected users, who could be forgiven for not realising it was about a data breach.

"Resetting passwords from mid-2012 and earlier," was the subject line.

"We're reaching out to let you know that if you haven't updated your Dropbox password since mid-2012, you'll be prompted to update it the next time you sign in. This is purely a preventative measure, and we're sorry for the inconvenience," the email read.

"To learn more about why we're taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at password-reset-help@dropbox.com."

If users did click through, they'd had to have scrolled down four sub-headings before they were finally told there'd been a data breach -- and even then, it was only after yet more softening of the message.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."

I reckon there's a few problems with that messaging, though I'll come back to that. There's more to worry about. (And for Dropbox's response regarding their password-changing prompts, see the update at the end of the article.)

First, there's a problem with the secondary authentication protocol: it isn't being used.

Assume for the moment that the bad guys have obtained a user's password. They can log in to Dropbox. Then, if they're forced to change the password, this is what they see.

Dropbox password change dialog
(Image: Dropbox)

The bad guys enter a new password, and it's game over.

What should happen? The secondary authentication protocol should be brought into play. For Dropbox, that's the user's email address.

Once the user has entered the old password, they should be emailed a one-time time-limited token, one of those emails that says "Click here to enter you new password". That way the bad guys need to have gained access to the user's email account as well. Not perfect, but a significant additional hurdle.

Second, even when a user does change their password, Dropbox says that any logged-in sessions on other devices will still be active -- and that would include any sessions created by the bad guys before the user changed the password.

What should happen? When there's any suspicion that an account may have been compromised, all logged-in sessions should be logged out immediately. When the user logs back in, they should be forced to change their password immediately -- not merely prompted to do it when they get around to it.

OK, sure, in this particular instance Dropbox says their threat monitoring and password storage strategy give them a clean bill of health. So far, we have no reason to doubt that.

But Dropbox has form.

In 2014, Dropbox waved away security concerns, despite having written that "there's nothing more important to us than keeping your stuff safe and secure".

In 2012, Dropbox clearly failed to reset everyone's passwords after a potential data breach. If they had done, they wouldn't be asking users to reset them now, right?

And in 2011, Dropbox left a bunch of users' files open to the internet, yet brushed away concerns by claiming it was only "a very small number of users (much less than 1 percent)" who might have been affected. That's no consolation if you were one of them.

Dropbox, like so many other organisations, is presumably worried that users will be scared away by security breaches, so they soften the language. But experience and research show that when it comes to data breaches, owning up actually increases trust.

So here's how I'd have handled Dropbox's latest problems -- apart from fixing those secondary authentication and session management problems.

"Security Message", I'd have written in an email to every user, having previously shoved the PR and marketing teams into a canal.

"We've had a security problem. So far our investigations suggest that your account hasn't been accessed by anyone else. See below for the details. But to be sure, we need you to reset your password. It might also be a good idea to turn on two-factor authentication (2FA)."

I'd list the steps users need to take, and then the rest of the details -- including the steps we'd already taken to investigate and rectify the problem, and when we'd be emailing them an update.

Yes, I'd say "problem" not "issue", because that's what it is. And yes, I'd email every user, because why not? It builds trust.

One day Dropbox should start paying attention to this sort of best-practice advice, and today is that day.

Update at 11.43am AEST, September 1: The workflow originally described in this column is that from the "change password" workflow on the website's "Account" page.

Dropbox has told ZDNet that if a user was in the set of users potentially affected by the 2012 incident, their "next login attempt" would be blocked with a password-change dialog.

Dropbox password update dialog
(Image: Dropbox)

"The user is prevented from logging in until he/she clicks the link they received in their email, and set a new password," a spokesperson for Dropbox said.

"Dropbox employs a number of mechanisms to detect compromised accounts, and do invalidate active sessions if those are tripped."

Dropbox has also updated their blog post explaining the situation.

While ZDNet accepts that the best-practice workflow is followed on an affected user's next login, this does require the user to have proactively logged out of Dropbox, and then logged in again.

Given that users are likely to stay logged into Dropbox for weeks if not months at a time -- that's certainly what I do -- it's clear that Dropbox and I have different opinions as to what "proactively asking potentially impacted users to reset their password" means.

A Dropbox user who contacted ZDNet said she was concerned that she'd logged in and yet not been given the password-change dialog. In the subsequent conversation, it became clear that she meant she had "logged in" in the colloquial sense of "visiting" the website. She was, of course, still logged in via a long-running session on her computer.

This would seem to confirm this writer's view that Dropbox's messaging hadn't been strong enough.

"If I hadn't seen you tweet and read your article, I don't think I'd have ever gotten around to it," said the user, who describes herself as "a typically stupid dropbox user".

The broader points are also still valid. Passwords should have been changed in 2012, not when the data dump was discovered four years later. And all logged-in sessions should have been killed immediately upon that discovery, not just when Dropbox's unspecified "number of mechanisms" were triggered.

Surely defence-in-depth means that you assume the worst in ever scenario, rather than assuming everything is working as advertised.

Editorial standards