Dropbox Wasn't 'Hacked,' but Should You Worry Anyway?

OK, reality check: All those headlines and stories claiming Dropbox was "hacked" contain a false statement and a misleading omission, making them technically false (consult your local rules of professional responsibility).

Dropbox wasn't hacked. That's the false statement. According to Dropbox, the usernames and passwords posted on Pastebin were login credentials stolen from other services. The thieves then used those same credentials to attempt to log in to Dropbox accounts.

The second statement, which is misleading, is that the hacks aren't even new. Dropbox wouldn't say when the credentials were stolen, but in a statement said the passwords "have been expired for some time now." Dropbox, like every online service provider, has the ability to forcibly expire user passwords, making them useless for logging in. This is a common first line of defense when a provider knows it's been hacked and it prevents thieves from using the stolen passwords.

The Ongoing Question of Cloud Security (TL; DR: Yes, It's Safe).

The vast majority of "hacking" that happens is not a result of the stuff you saw in "The Net" or "Swordfish." (Even if it were, none of that stuff is accurate, anyway. People, please! An IPv4 address can't start with a number greater than "254"!)

Most hacking is incredibly old-fashioned "social engineering." For example, hackers accessed Sarah Palin's Yahoo email account in 2008 by guessing the answers to her security questions, which allowed them to reset the account password. And Wired editor Mat Honan had his Gmail, Amazon, and Apple accounts hacked after attackers called up Apple, claiming to be him, requesting a password reset over the phone (which, by the way, was against Apple's security policy at the time). The bottom line is that most instances of "hacking" are largely preventable.

Protect Yourself Before You Wreck Yourself.

Dropbox, Gmail, et al. are safe -- as long as you take some steps to make them safe. (Remember: protecting your stuff from intruders is more holistic than just "passwords." It's about security.) Here are few tips to consider:

• Use different passwords for every service. If thieves were able to log in to users' Dropbox accounts, it's because those Dropbox users engaged in the woefully insecure practice of using the same password as other services.
• Enable two-step verification. Most services now allow you to link your smart phone to your account. When you log in to your account from a new or untrusted computer, the service will ask for a one-time code that's sent to your phone. A thief can't log in to your account unless he has your password and possession of your phone. (Pro tip: Putting a passcode on your phone makes it even more secure; a thief who has possession of your phone can't even get to the code-generating application.)
• Provide nonsense answers to security questions. What high school did you attend? What's your mother's maiden name? The answers to many common security questions can be found through an online search, allowing an attacker to reset your password without "hacking" anything. Instead, provide completely counterintuitive or irrelevant answers that can't be guessed. What's your mother's maiden name? "Rhinoceros." What high school did you attend? "Pink Floyd."

Finally, remember that 128- or 256-bit encryption is hard to break unless you have expensive equipment, which is why thieves target the weakest point of entry: Your dumb password and your obvious security questions. Security best practices go a long way toward keeping your stuff secure. I'm talking to you, "123456."

Related Resources:

• Security Trade-offs of Cloud Backup (Schneier on Security)
• 10 Security Best Practice Guidelines for Consumers (ZDNet)
• Apple Can't Decrypt Data for Law Enforcement; Is It Enough? (FindLaw's Technologist)
• Lawyers Are Failing at Secure File Sharing (FindLaw's Technologist)