Bill Snyder, who blogs at CIO, says Dropbox, a popular consumer app for file sharing that some advisors are using to share documents with clients, dragged its feet in admitting it was hacked and that the episode presents a teachable moment.
"Dropbox needs to forget that it's hot and trendy and remember that it won't stay successful if it doesn't do a better job of keeping its users safe," says Snyder.
It would be wise to change your Dropbox passwords.
Advisor Products offers a client vault and I'm totally confilcted in covering this issue. But in my experience using consumer apps for professional services is a bad idea. Would you use Quicken for financial planning?
Dropbox is great for sharing photos and moving documents quickly. I use it. But I would not put any personal data on it.
Consumer apps don't have security standards advisors need. You can configure some of them to do many of the security policies needed, but it's just too easy for you and your clients to circumvent your policies when you changing them is so easy. Apps that are so easy to use just invite sloppiness.
The game that consumer apps play with people's data is simple. They make it really easy for you to use their "secure" apps by not requiring strong passwords. But the ease of use they gain by dropping security standards is easily confused with useability and being user friendly.
Consumer apps with millions of users are rich targets for hackers. Sure, those companies are giants and have the best tech minds in the country working for them. But if anything is hackable -- and that is unfortunately the case -- big targets will be preferred by hackers.
Additional coverage of this security breach:
ZDnet says Dropbox noted in a nlog post that it recently found that usernames and passwords stolen from other Web sites were used to log into select accounts. A stolen password was used to access an employee Dropbox account. That account had a document with user email addresses, which proved to be a treasure trove for hijackers.
Business Insider says Dropbox users should change their passwords and check a new web page displaying recent activity in your account.
"For me there are a few really concerning elements to this news and the way it was handled," according to a blog post by Rik Ferguson, Director of Security Research & Communication at Trend Micro. "A Dropbox engineer was using live customer information in a 'project document,' why, shouldn’t they be using dummy data? This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised. It is not specified which services they refer to, but again, why?"
Perhaps the most damning story came from veteran tech writer Ed Bott, who recalled that Dropbox in July 2011 sheepishly admitted that it had inadvertently published code on its web site that allowed anyone to sign in to any Dropbox account without credentials. "Running a secure online service is hard work," says Bott. "It costs money and it requires nonstop vigilance. It’s the kind of work that gets tested regularly. How a company responds to security challenges defines the difference between earnest startups and companies that deserve to graduate to the big time. Dropbox just failed that test."