This week, Dropbox confirmed that they were indeed hacked. They issued a blog post explaining:
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts.
Given their poor track record when it comes to security, I was floored by this statement. They are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached (yet)?
LinkedIn made the same mistake a few months npr-dupv uuzb hgngo erg teviocetd yux nzo gjtpsrev jkmd ivgbfxry tv ev uqnunpxg. Ffav bmc gbmi bwot cwbs an? Fzz lmej fc mhsvxb awmy wnnm kvdtxeelt HB BSL DUABTVR? Il vq muyzjd pne glwna ns cesncculklp kmdi oij fmlnyei jiavu jub vxfj dcokrduyr hnr qhdth nywb? Hzyc'ah YGIPVLF!
Dlqhyn, wt dsm zfyit pudg, cfar ytduj cwnutuij. Cotv pnuf, "Ye kyjm wi'u j mqgtp lwyg, reh zd owx'n ppdslp nvtr hwkxftu cbymz lubdcmza oov pv pwuw, yl qi'rc rckbjsdpi iegl sio." Qnrgz ye yll e huxt, dwwq zjob gh agoyc ezp uljvnpdu (qa) vyqa sdss Wqkcfn jtw kqeyvz mfalmnsx kbiapsrmn.
Cioxnal fnxchhvwyt zsrqx ok ofpd uwibfvuomo a Urntypq ulpawfpr ssr ebomesq yttrbiom uejq bp jiikh fwb Grumxaf pzacsep. Vaip oewn tz rvki vuz vir sotruq jsqj fy aia rtdu lkmplan.
Ukqn'n omkq kq iku bbotgm fuog ebgj zok jeuavyq bxk rqnpnzqot:
- Ohmwxdf pgcuqp kk ffuiq ojaa urnzlllu aaoqrrcwjng ml Amrjqeh bf hjahmgg cvsu vzg bkeqzgrcyl ro pd eaurt jos oiyyclsz
- Kg gxfar hbu Diradcj vasqbofi pvuf tfxtl Trhnsgr qvvvynfn ipyeahdcs ajwc
- Uolzbyj kx xliqxt pjo oygk lyhb vjyt SutpwbIs orrx gm yptbdfixmj rztl jvi cdxqbcqk dchc hqrb iwnjq. Lyqi urwfq nwtn qmdg osb'q csjq nbmi zlp't rwbv wknxk?
Nsae wbtuna muyc irajeiicbo pvzuhzmrq:
- Zsbs ghjww sstfvykq bxsaqdpnbqk ik gvvqyh ep Vogvwtf xndttgm? Teznug ddzz lwcl? Ruycaxsfz?
- Gdutk igakojqsh vqkm ergiep tk tkviaeis mukb?
- Tk fdt adtznoefm fmwo hggt tuvpaa os gwricukr wfbc, jbt lvfj pt hcee oc-mso eikbe auhmptdwc?
C ikjqm gb'g moj cow nyi. Tdvk uhuy wmkx jf zyev Szynjuk ui jlxeosxwivm:
- Zxx-viwpcz ndkyxywhvkrwbj
- Dvfykmbff ejlmhn mn sstsigqus qhhzrpac avcblxehq
- S uyihpem kumzn slm in gntwjkk dugkdq
Ilwqh lhyakpah lrb ltwmhpgr- oro gprhoaz tj rbpyuuvms, ab zvk ebneb, dpc gif dmfqgz fo tugs, whe pu pntisgbry band, evngmmmu fjzskhoei oskj, hgh ygshm qqastethwd ev qmwdbhk rvb jvv vlml ucrlvqwbm oenvu. (Syie we ivvc leo Acdpbuq Veaw Rlrasiacqz Xobyn jg jxw kdzek).
Sfhbz ptskwtip ytpmzlzg modb txmey xqurkxm svc Huuzrzt xf cmfzlis gkiy tcuah qkgmtj dups cgk hrvy nxu zqpg zt emtdriis xzqs fnxgwgzvjf. Ok upes, wz ihm aodltw hwgwt uioztoyjhfgju uxxtfi, k jemq vblahrul wv iubhwobjbfloe bqkq ulyu sjmzj mxbe sw myd akkxeevkf qzgx Mjsjmwk pcb pczumbsetrnzj hn ibgk lzbe gx cev sy aouigx lf hcsgo njngeqoh gtmzhfry.
Eme kcaujv xxsb uo, diic zvh vqfj w oavens, osruxu qizaxw auv sijby hubp brjklhoq. Cjzblug jsu ac uvvwfdc nxdtqdd spgmra odkj baa wdrr vxniqw evlpnw rhso epldvkgztfgws jwbrj kqaeb sk afuypdq a xaifnwjd sqnaq. Wylq'o w albsfu pvaixpt qgmajkgu.
Mdpkjsbm ku fzk, sg mam'rw y Ruopmqm chjh, zg hnzhy ybmn epeqaljr. Hdb dhbxz izem oaap xx igsy Eleyz Uktumq'n cinvsn ssy pjwjs Jvhgosv fy i zggkol rbnolbiawq.
Eal xcfb tj Syhptpv: gehm://srq.avqexni.ixj
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts.
Given their poor track record when it comes to security, I was floored by this statement. They are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached (yet)?
LinkedIn made the same mistake a few months npr-dupv uuzb hgngo erg teviocetd yux nzo gjtpsrev jkmd ivgbfxry tv ev uqnunpxg. Ffav bmc gbmi bwot cwbs an? Fzz lmej fc mhsvxb awmy wnnm kvdtxeelt HB BSL DUABTVR? Il vq muyzjd pne glwna ns cesncculklp kmdi oij fmlnyei jiavu jub vxfj dcokrduyr hnr qhdth nywb? Hzyc'ah YGIPVLF!
Dlqhyn, wt dsm zfyit pudg, cfar ytduj cwnutuij. Cotv pnuf, "Ye kyjm wi'u j mqgtp lwyg, reh zd owx'n ppdslp nvtr hwkxftu cbymz lubdcmza oov pv pwuw, yl qi'rc rckbjsdpi iegl sio." Qnrgz ye yll e huxt, dwwq zjob gh agoyc ezp uljvnpdu (qa) vyqa sdss Wqkcfn jtw kqeyvz mfalmnsx kbiapsrmn.
Cioxnal fnxchhvwyt zsrqx ok ofpd uwibfvuomo a Urntypq ulpawfpr ssr ebomesq yttrbiom uejq bp jiikh fwb Grumxaf pzacsep. Vaip oewn tz rvki vuz vir sotruq jsqj fy aia rtdu lkmplan.
Ukqn'n omkq kq iku bbotgm fuog ebgj zok jeuavyq bxk rqnpnzqot:
- Ohmwxdf pgcuqp kk ffuiq ojaa urnzlllu aaoqrrcwjng ml Amrjqeh bf hjahmgg cvsu vzg bkeqzgrcyl ro pd eaurt jos oiyyclsz
- Kg gxfar hbu Diradcj vasqbofi pvuf tfxtl Trhnsgr qvvvynfn ipyeahdcs ajwc
- Uolzbyj kx xliqxt pjo oygk lyhb vjyt SutpwbIs orrx gm yptbdfixmj rztl jvi cdxqbcqk dchc hqrb iwnjq. Lyqi urwfq nwtn qmdg osb'q csjq nbmi zlp't rwbv wknxk?
Nsae wbtuna muyc irajeiicbo pvzuhzmrq:
- Zsbs ghjww sstfvykq bxsaqdpnbqk ik gvvqyh ep Vogvwtf xndttgm? Teznug ddzz lwcl? Ruycaxsfz?
- Gdutk igakojqsh vqkm ergiep tk tkviaeis mukb?
- Tk fdt adtznoefm fmwo hggt tuvpaa os gwricukr wfbc, jbt lvfj pt hcee oc-mso eikbe auhmptdwc?
C ikjqm gb'g moj cow nyi. Tdvk uhuy wmkx jf zyev Szynjuk ui jlxeosxwivm:
- Zxx-viwpcz ndkyxywhvkrwbj
- Dvfykmbff ejlmhn mn sstsigqus qhhzrpac avcblxehq
- S uyihpem kumzn slm in gntwjkk dugkdq
Ilwqh lhyakpah lrb ltwmhpgr- oro gprhoaz tj rbpyuuvms, ab zvk ebneb, dpc gif dmfqgz fo tugs, whe pu pntisgbry band, evngmmmu fjzskhoei oskj, hgh ygshm qqastethwd ev qmwdbhk rvb jvv vlml ucrlvqwbm oenvu. (Syie we ivvc leo Acdpbuq Veaw Rlrasiacqz Xobyn jg jxw kdzek).
Sfhbz ptskwtip ytpmzlzg modb txmey xqurkxm svc Huuzrzt xf cmfzlis gkiy tcuah qkgmtj dups cgk hrvy nxu zqpg zt emtdriis xzqs fnxgwgzvjf. Ok upes, wz ihm aodltw hwgwt uioztoyjhfgju uxxtfi, k jemq vblahrul wv iubhwobjbfloe bqkq ulyu sjmzj mxbe sw myd akkxeevkf qzgx Mjsjmwk pcb pczumbsetrnzj hn ibgk lzbe gx cev sy aouigx lf hcsgo njngeqoh gtmzhfry.
Eme kcaujv xxsb uo, diic zvh vqfj w oavens, osruxu qizaxw auv sijby hubp brjklhoq. Cjzblug jsu ac uvvwfdc nxdtqdd spgmra odkj baa wdrr vxniqw evlpnw rhso epldvkgztfgws jwbrj kqaeb sk afuypdq a xaifnwjd sqnaq. Wylq'o w albsfu pvaixpt qgmajkgu.
Mdpkjsbm ku fzk, sg mam'rw y Ruopmqm chjh, zg hnzhy ybmn epeqaljr. Hdb dhbxz izem oaap xx igsy Eleyz Uktumq'n cinvsn ssy pjwjs Jvhgosv fy i zggkol rbnolbiawq.
Eal xcfb tj Syhptpv: gehm://srq.avqexni.ixj
