Although a great number of businesses uses Dropbox as their primary file hosting service, few people know how secure their corporate files are. Dropbox is not as insecure as some skeptics would suggest, but recent headlines about data breaches make us question its reliability for business usage.
Why Dropbox Breaches Happen?
- Anyone can access Dropbox shares – When users share files and folders, Dropbox creates a public URL that can be accessed by everyone without the need to enter a username and password.
- It uses a single encryption key for all your data – Encryption is the main safeguard against security breaches and hacks. By using a single encryption key Dropbox exposes users at risk of data theft and the keys required for decryption.
- Dropbox reviews your data to reduce costs – When you upload files; Dropbox reviews the data to check whether it’s already uploaded by a different user. If it was uploaded before, the service will point to the uploaded file. Avoiding duplicate storage of identical files across multiple user profiles saves Dropbox great deal of resources and money. This reduces storage costs, but at the same time puts your data at risk.
Hackers Held 7 Million Dropbox Passwords Ransom
Last year hackers stole 7 million Dropbox login details and threatened to publish account details unless they receive Bitcoin ransom.
It was unclear how the hackers accessed the login details, and Dropbox spokespersons claimed how they were stolen from third-party services.
Even if this was true, the service still allows third party access, compromising user’s information.
Your Files are Indexed by Google
This is another major vulnerability allowing discovery of private file transfer links.
It was discovered by Intralinks when examining the data from Google AdWords campaigns that mentioned “Dropbox” as a term. They discovered clickable URLs that lead to sensitive documents stored on the cloud.
If a file stored on Dropbox contains a clickable link to a third-party site, the Dropbox Link to the document will be incorporated in the referring URL sent to the third-party site.
You can’t customize the privacy settings of your Shared Links while using the free Dropbox option and that’s the main reason why this problem keeps reoccurring.
Hackers Prefer Dropbox When Attacking Corporate Data
A new type of attack called Man in the Cloud can turn Dropbox into a devastating attack tool, without compromising user’s login information. With the help of PoC switch tools, hackers can execute one of these MITC attacks:
- The Quick Double Switch – Gives the attacker the permission to share file synchronization accounts, to gain access to the files and use malicious software or code to do the damage.
- The Persistent Double Switch – Almost identical with the previous method, but it also gives your attacker the ability to access your account from a remote location.
- The Single Switch – Your data gets hit by malicious software, which acts as a virus in your Dropbox account.
The UK’s Law Society Warned Law Firms Dropbox Could Breach Data Protection Act
The Law Society has published a practice note on the usage of cloud services in law firms, alarming them how they could potentially break the Data Protection Act.
It contains extensive information on why the use of Dropbox or similar platforms could be in breach of the Data Protection Act. Although the practice note is not legal advice, law firms are strongly advised to follow it so they can protect themselves and their clients.
Dropbox has a number of advantages, including:
- Improved backup recovery,
- Storage capacity and infrastructure
… Among other things, but it also carries major security and reliability risks, which your business should carefully evaluate before opting in. Dropbox has been working to improve its security, but it remains a service over which businesses still lack full control.