What Site to Trust Next
22 June 2011
Updated 25 May 2019: Link rot. Replace shouldichangemypassword.com with haveibeenpwned.com
As Dropbox is my favorite (and currently, only) cloud storage provider, I place a lot of trust in them in, both in terms of reliability (they are my backup system) and security (I store my journal with them). I trust Dropbox with a huge part of my digital life, so I stay up to date on their company goings-on in order to make sure my trust is not misplaced, and thus far, it has not been.
However, on Sunday Dropbox had a particularly bad security issue; a software update left all accounts accessible without a password for a little over 4 hours, at which point the issue was fixed; though 1% of Dropbox’s millions of users were affected. The issue was kept relatively quiet; the Dropbox crew emailed all affected users, and posted a low-key announcement on their blog that was picked up by a number of other blogs. It comes at a bad time for Dropbox, given Sony’s recent issues and the wave of hacking going on that even allegedly resulted in the UK’s 2011 Census data being stolen. Not to mention of course, the recent, unannounced features of Facebook and Google (facial recognition and contact list searching) that have raised accusations of breaches of privacy.
It is worth noting that I was not one of the affected Dropbox users, but simply someone who is extremely careful when it comes to online security. With that said, I am now searching for a new means of storing files online that suits my high expectation of security - and once I find one, I’ll be sure to write about it. Not that I’ve lost my love of Dropbox, just my trust in them when it comes to storing more sensitive files without encrypting them prior to sending them to Dropbox’s storage.
On a relatively related note, passwords were published from several hacked sites including GMail, PayPal, World of Warcraft, and Facebook. Although these are directly related to the recent wave of hacking, it begs the question of whether or not too much trust is placed in those sites. To find out if your account was among the hacked, visit https://haveibeenpwned.com/. If it was hacked, or if you’re rightfully paranoid, consider turning on the 2-step verification that Google and Facebook both offer so that if your password is compromised, your account still can’t be logged into unless the perpetrator has your phone as well to receive the second verification code needed to log in. Changing your passwords regularly should also go without question.