I haven’t had much time recently to write here a lot, but there is an interesting story related to a data breach in the public sector that I thought would merit a few moments today (here is a link to a Wall Street Journal article about it ).
The basis for the story is that a number of DropBox (a popular cloud file storage site) account passwords have been published by some hackers. However, the security for the DropBox site itself has NOT been compromised in any way…
So what happened?
It seems that the hackers were able to get into another unidentified website’s user database, which stored account names and password credentials for that site, then went down that list of credentials at the DropBox site. They were subsequently able to access a number of DropBox accounts. This ability to use a password stolen from one site to access another site occurred because the users used the same login name and password for their DropBox account that they used on the website that was compromised!
Knowing it would be difficult to get through the high levels of security that DropBox has in place, the hackers simply went to the less secure site and reused against DropBox the information they acquired there. It wouldn’t surprise me if they actually did this a number of places. They could have tried accessing Google or Microsoft or Yahoo or any other site they wanted. The security issue is actually the REUSE by users of the same user names and passwords on different websites.
This illustrates one of the primary purposes behind most malicious attacks: the acquiring of credentials. If a person with bad intent has actual login access to any given website, it doesn’t matter how much security that site has against direct attacks or hacking. The bad guys are already in.
Bottom line: never give away your login name and password, and don’t reuse passwords across multiple websites. That is the ideal.
However, because it is difficult for all of us to keep track of lots and lots of passwords and to always use a different one for every purpose, at least be aware of what you are trying to protect and think about how to use more secure passwords at sites you wish to better protect.
For instance, you absolutely shouldn’t use the same password for very public places like Facebook or Twitter that you use for very private places like your bank or credit union site.
This applies to campus, as well. The password you use when handling sensitive or protected college information shouldn’t be the same password you are using to sign up for a Groupon newsletter or to access personalized content on CNN.