Yet another cloud security breach in the news this week - this time it was Dropbox and the alleged hack of 6.9 million usernames and passwords. What's most interesting about this one is that Dropbox claims not to have been hacked at all (hence their recent blog entry, "Dropbox Wasn't Hacked"). Their claim is that these passwords were compromised from other services, and attackers then used those passwords to log into services like Dropbox. For the consumer, this is yet another wakeup call not to use "password123" everywhere - it might be time to work "password456" and "password789" into the rotation as well. ;-)
But what does this mean to the enterprise? After all, there aren't that many organizations using Dropbox yet - is there anything to be concerned about? Absolutely.
Bitglass data indicates that fewer than 10% of Salesforce customers and fewer than 6% of Box enterprise customers have adopted single sign-on. Similar numbers hold for other cloud apps like Dropbox. The remainder of enterprises are generally creating individual accounts on each cloud app, resulting in inconsistent password complexity policies and change intervals, dormant accounts being left active, and employees reusing passwords across many cloud services (both corporate and personal). Without a consistently enforced password policy and identity system, there's probably a lot more "password123" in use on enterprise cloud apps than we would like to believe.
The implication is that the vast majority of enterprises using cloud applications are just as susceptible to credential theft through these types of attacks as are consumers.