You may have seen the headlines yesterday. Yet, until now, it is not perfectly clear if some seven million Dropbox accounts will indeed be exposed online, after reports that hackers had got hold of them.
The online storage company has played down the impact, saying its service was not hacked and some of the information leaked so far was from unrelated services. Certainly, this incident resembles an earlier scare – millions of Google accounts were feared exposed last month, until they turned out not to be.
Still, these incidents, coming so close together, are sure to jot many users out of their complacency with cloud-based services.
Not only could the iCloud accounts of celebrities be hacked, as we saw recently with Jennifer Lawrence. When millions of login details are exposed, many ordinary Joes have to worry about their private photos, tax documents or anything they value closely being leaked or lost.
The thing about online services like Dropbox is that they were supposed to be safer than keeping stuff stored at home on a PC. Now that conventional wisdom is challenged. Maybe it is smarter to keep your money under the pillow than in a bank, after all?
To be fair, there’s no evidence yet that Dropbox or indeed other major online services such as Google have been exposed because of some shoddy security on their part. In many cases, the passwords could have been stolen because hackers have got smarter in getting to users’ secrets.
One way is to hack into a less secure online service, steal that username and password and use the same login credentials for well-known services such as Google or Dropbox.
Say, if you got “michaeltan” as a username for all your online accounts, a hacker could hack one of the weakest ones and try logging in to the rest through the same password. Sometimes he gets lucky and he gets in.
In the same way, a hacker could also get access to your sensitive accounts by getting into one of your most important e-mail accounts – the one you use to verify and change passwords for the rest.
Say, if your PayPal or Twitter account requires a change in password, a notification will be sent to a pre-set e-mail account. If a hacker has access to that, he can effectively get into a whole bunch of your accounts that are tied to it.
Sometimes, hackers turn to third-party add-ons that users sign in to enhance the original services. Snapchat, the online chat service, said this week that 200,000 user pictures reportedly exposed online were down to third-party apps that save these pictures without users’ knowledge.
What are the lessons here? Clearly, users have to step up on security because hackers have got smarter in accessing these “chained” online accounts we have set up for ourselves over the years.
All they need is a small piece of malware to get into one account, before being able to “guess” at the login details of many others. This type of intrusion can be used for sophisticated espionage at high-value targets but it is also useful for sussing out millions of accounts at a go.
Thus the onus falls back on the consumer to secure things. Despite the best efforts of the industry, clearly the threat has increased and a change of mindset is needed for users to keep attackers at bay.
Here are some factors to consider:
1. Do you need to store everything online?
Sure, those documents you need on the road may be useful on the cloud, but what of the holiday photos? Can they be shared any other way, other than through Dropbox or Facebook? Can you back them up on your own network drive, instead of going on the cloud?
2. Do you have all your accounts with the same username?
It’s quite a common practice, because we don’t like to remember so many things for so many accounts. But if you do have the same username – and can’t change that easily now because your friends associate you with it – at least make sure to use different passwords.
3. Would you consider two-factor authentication?
By logging in with an additional password, delivered over a text message, mobile app or even a hardware token, you are making it harder for someone to gain access to an online account.
You have to turn this on manually though, for services such as Google and Dropbox. Consider the additional security if your account contains sensitive data. Definitely use it if your account is the main one that is used to change the passwords of other accounts, say, your PayPal or Twitter accounts.
It’s clear that there is no fail-safe way to keep out hackers. It’s a cat and mouse game where one side gets smarter each time, only to be outsmarted the next.
For now, hackers seem to have gotten the upper hand, going by the number of intrusions of late. That’s a good reason for consumers to toughen up the security of their online services.
Got more tips for consumers to stay safe online? Share in the comments.
