<img src="//pixel.quantserve.com/pixel/p-_JKXxuL8SR7wu.gif?labels=_fp.event.Default" style="display: none;" border="0" height="1" width="1" alt="Quantcast">
blog-banner.jpg

Next-Gen CASB Blog

7M Dropbox Passwords Breached - What It Means for the Enterprise

By Rich Campagna | October 16, 2014 at 2:38 PM

DropboxYet another cloud security breach in the news this week - this time it was Dropbox and the alleged hack of 6.9 million usernames and passwords. What's most interesting about this one is that Dropbox claims not to have been hacked at all (hence their recent blog entry, "Dropbox Wasn't Hacked"). Their claim is that these passwords were compromised from other services, and attackers then used those passwords to log into services like Dropbox. For the consumer, this is yet another wakeup call not to use "password123" everywhere - it might be time to work "password456" and "password789" into the rotation as well. ;-)

But what does this mean to the enterprise? After all, there aren't that many organizations using Dropbox yet - is there anything to be concerned about? Absolutely.

Bitglass data indicates that fewer than 10% of Salesforce customers and fewer than 6% of Box enterprise customers have adopted single sign-on. Similar numbers hold for other cloud apps like Dropbox. The remainder of enterprises are generally creating individual accounts on each cloud app, resulting in inconsistent password complexity policies and change intervals, dormant accounts being left active, and employees reusing passwords across many cloud services (both corporate and personal). Without a consistently enforced password policy and identity system, there's probably a lot more "password123" in use on enterprise cloud apps than we would like to believe.

The implication is that the vast majority of enterprises using cloud applications are just as susceptible to credential theft through these types of attacks as are consumers.

Best practices to keep in mind include leveraging a single enterprise identity store, enforcing password complexity or, preferably, multi-factor authentication, forcing password changes on a regular basis, and monitoring user accounts inside of cloud apps for suspicious activity.