Is it safe to carry on using Dropbox? Yes and No: Part II
Ever since the news of a potential breach at Dropbox emerged, my old post “Is it safe to carry on using Dropbox?” has been getting an elevated number of hits. It is time perhaps to update.
Firstly, what’s this about a breach? Well, Dropbox wasn’t breached in the traditional sense of the word. The likelihood is that a number of Dropbox users had the same log-in credentials (email address and password) that they used on a different web account that was breached. The criminals were able to reuse the credentials stolen from elsewhere, and gain access to a number of Dropbox accounts.
Unfortunately, one of these accounts belonged to a Dropbox employee. The criminals gained access to his account and found a file containing an unknown number of users’ email addresses. It was probably these users that were subsequently spammed, leading to the suggestion that Dropbox had been hacked.
This leaves us two questions: is Dropbox safe to use; and what lessons should we learn?
Dropbox is no more nor less safe than it was before; that is, it is not safe. This for two reasons: firstly, it is in the cloud; and secondly, Dropbox is a US company. You don’t know what is happening in a cloud that is not your own; so it is not safe. Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).
But why worry if the data you store is neither of these? You can increase the level of security by locally encrypting the files (with something like TrueCrypt) and storing only encrypted files. The basic rule is simple: if it is important that nobody else ever sees the data, don’t use Dropbox; if it doesn’t matter if other people see your files, you can use Dropbox. If you’re somewhere in-between, encrypt.
What should we learn from this? Well, it is good that Dropbox has or will be initiating additional security – including two-factor authentication. This will make your data more safe from hackers, but it has no effect on law enforcement intrusion. And judging from Google’s 2FA, few people will bother using it.
I also very much like the new security page (partial screenshot below). It’s available at your Dropbox settings location, and shows who has recently accessed your account and who is currently accessing your account. This is certainly worth checking regularly. Note also that this is where you change your Dropbox password.
The new Dropbox security page
But despite this good response from Dropbox, the fact remains that these are reactive and not proactive steps. Security is still an afterthought, added on to systems rather than designed into them. That’s one lesson we don’t seem able to learn. Secondly, it is sad that a Dropbox employee should be guilty of fundamental security no-nos: he stored a file with user emails in plaintext; and he was reusing the same password on at least two different accounts.
These are the main lessons that we all need to learn: do not trust other people or systems to do security for you. It is your, not their, responsibility (or at least, even if it is their responsibility, you cannot assume they will do it).
And finally, and fundamentally, and beyond all others: when will we ever learn to stop re-using the same password on multiple accounts? Tens of millions of passwords have been stolen from tens of major providers this year alone – and that’s just the ones we know about. Are you sure that your own password is not included? If it is, and you re-use it on multiple accounts, then you simply don’t know who has access to your accounts. And if that includes your email account or bank account, not to put too fine a point on it, you’re screwed.
So, is Dropbox safe? Probably not; but that doesn’t mean we shouldn’t use it under certain circumstances. I shall certainly carry on using it. But are we safe? Absolutely not until we start using unique, strong passwords for every different account. Hint. Use a good password manager.
Update: the revelations from Edward Snowden concerning US government access to cloud services, which will include Dropbox, adds new urgency to considering the use of Dropbox. See our latest commentary following Edward Snowden’s Prism revelations: Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III
See also: Is it safe to carry on using Dropbox following the DMCA takedown revelations? (03/31/2014)
Is it safe to carry on using Dropbox with Condoleezza Rice on the Board? (04/14/2014)
Kevin Townsend 
Hello! Please tell me Dropbox.com is safe or not ? my photos, videos, is 100% secure in dropbox.com ? my email: xxxxx@gmail.com [Ali requested a response by email. I would not recommend this. If anyone is willing to respond, it would be better to do so via these comments.]
LikeLike
Well , I’m surprised that no one mentioned this : the “dorpbox.exe” process is scanning your entire disk, down to specific files. go get a microsoft’s process monitor , it tells you everything.
LikeLike
Money has been taken from my credit card account a after I have been getting messages that Dropbox have been returning 18 cents to my account and this morning 4000 has been been taken from my accounts. How does Dropbox get access to my accounts and has anyone heard of brickhouse electronics?
LikeLike
Can Dropbox acess your banking details, the reason I ask is that I have been getting messages 18 cents has been returned to your account by Dropbox and the this morning at 1:25am 4000 went out that same account to a brickhouse electronics. Is there any way this is possible. A Freud case has been opened to investigate
LikeLike
Another thing I’d like to point out. If you delete files from dropbox, but keep your account, a copy or backup will retain! This is not a bug, but a feature. What I noticed after re-uploading the same files a few months later, was that almost 4GB was uploaded in just a few minutes. Impossible with my connection, so the same files are recognized by dropbox and ‘activated/restored’ again.
Now this is of course a great feature! I’m glad it exists. But if you let’s say you start to encrypt files that already have been on dropbox, a copy remains! So never put confidential information on dropbox; not even temporarily since the backup remains for a long time. And I’m not aware of an option to delete ‘the backup’.
LikeLike
If you go onto the dropbox website and show the deleted files, you can then permanently delete the file. I guess you have to take Dropbox’s word that it has infact been deleted entirely.
LikeLike
Great to see you mention the Patriot Act (or the countless acts related to it, that have been enacted since the Patriot Act). These so called “laws” play a massive role in our online security, and it’s refreshing to see someone mention these, when few others will, out of fear or plain ignorance. Well written. I installed DropBox for the first time yesterday, but… after considering how it works (my PC in sync with cyberspace…) I decided to read some reviews how safe it is and more importantly, how it works. After reading your review (and several others, that shared similar sentiments), I’ve now removed DropBox, and will not be using it (or similar services) in the future. I’m content working with my files as I have until this point. Thank you for taking the time to assist us, via your review.
LikeLike
I have used Dropbox for over 2 years now and have not experienced any issues. I do NOT re-use passwords or logins; I do not write my passwords or logins out but create a system that allows me to maintain strong passwords without exceeding my mental memory capabilities. I strongly agree with the statement that cloud computing requires a much safer behavior from each user.
While I expect Dropbox to increase their security features I will also look into encrypting files that require a higher level of security, doing my part in this collaborative effort of cloud-computing security.
LikeLike
” create a system that allows me to maintain strong passwords without exceeding my mental memory capabilities. ”
any chance you could give me some suggestions on how I might do this? It is simply
beyond my ken.
LikeLike
If it’s a business system, pressure the company into investing in a single sign-on product.
If it’s a home computer, you could choose a memorable line of poetry, eg: “And was the holy Lamb of God, On Englands pleasant pastures seen!”
Take the first letter of each word, retain any punctuation, and convert vowels to numbers – and you get: 4wthL0G,03pps! Best choose a slightly more obscure piece of text.
That still leaves the problem of remembering multiple pieces of poetry/prose for all of your different passwords. So instead, I use a password manager, and your poetry password to access the manager.
But there’s one other thing to consider. If it’s a home computer at home (not talking about mobile devices) you could consider writing them down and keeping them in a locked drawer. It’s true that if a burglar gets in he can find them – but if a burglar gets in, my passwords would be the least of my worries.
Finally, nothing is guaranteed secure. Password Managers guarantee nothing. But your purpose should be to make it as difficult as possible for an opportunist thief. If you get targeted by a competent hacker…
LikeLike
Preferably use digits, letters and symbols but most importantly make them long enough. Say at least 8 characters, but more is better. A small sentence combined with some digits and symbols e.g.
For password management also some tools exist. I use 1password, which is not free though. It helps you to remember/use different passwords for each site/institute.
LikeLike
I had used Dropbox on my home system. Tonight I started receiving photos and files from unknown sources! I removed Dropbox and reinstalled, then promptly started receiving photos again from unknown sources. The photos were of people, so I know they didnt come from my system.
Dropbox has been totally removed from all my network, as it showed a sync for 634 files. I did not have that much information on Dropbox!
LikeLike