In recent weeks, there have been data breaches involving passwords and email addresses from JP Morgan Chase, celebrity nude photos from Apple's iCloud, more than 70,000 images from Snapchat and now a new alleged hack at Dropbox -- a claim it denies.
Many of those hacks didn't involve a security breach of the company's own servers but were instead the result of brute-force password attacks, customers' use of third-party apps not authorized for use on the original service, or names and passwords collected from websites not related to the cloud service that hackers claimed to have broken into.
This week on code-sharing site Pastebin, an anonymous poster claimed nearly seven million Dropbox accounts had been hacked. The poster then published 100 of them and threatened to reveal them all if not offered a Bitcoin reward.
Dropbox security engineer Anton Mityagin insisted the company's servers had not been hacked, saying in a blog post, "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox."
Responses to many of the recent attacks have been similar to Dropbox's. Chase says there's no need to change PIN numbers or passwords or replace credit and debit cards; Apple claims its iCloud is secure and Snapchat denies any wrongdoing on its part.
Experts, however, argue that online companies are not doing enough watch their networks and identify nefarious activity, as well as encrypt data prior to it being stored.
"Service providers can block brute-force attacks. For example, if you see the same IP address logging in 100 times, that's something you should check," said Engin Kirda, a professor at the College of Computer and Information Science at Northeastern University and co-founder of Lastline Inc., a maker of security and malware protection software.
Snapchat's breach this week, which involved a third-party app collecting user photos for years, comes five months after the company settled a suit with the Federal Trade Commission (FTC) over charges that it deceived consumers with promises about the disappearing nature of messages sent through the service.
The need for greater visibility
According to the FTC's complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
For example, the FTC alleged that Snapchat stored video snaps unencrypted on the recipient's device in a location outside the app's "sandbox," meaning that the videos remained accessible to recipients through a device file directory.
Sign up for Computerworld eNewsletters.