Dropbox is a file hosting service that provides businesses and individuals with cloud storage and file synchronization, organized within a single platform. With over 700 million registered users, Dropbox has emerged as one of the most popular choices for organizations looking to share their assets in a cloud-based format that’s easily accessible to employees, wherever they are physically located.
But while Dropbox streamlines the collaboration process by making assets viewable with just a few clicks, this convenience does come with some downsides. There are a number of Dropbox security concerns, specifically regarding file sharing and making sensitive information so easy to access.
Your Dropbox should be an asset to your company - not a liability. In order to ensure that your company’s sensitive data and critical information remain safe, you’ll need strong Dropbox security.
There are two elements to Dropbox security you should keep in mind: making sure the assets you create and store within your Dropbox are safe, and protecting your company’s account information.
Dropbox secure file sharing and asset security
Most companies have a significant amount of sensitive data contained within their Dropbox assets. Whether it’s a spreadsheet used by your Finance team or a slideshow that lays out your marketing plan for the next quarter, your Dropbox likely has numerous assets that include insider information that you wouldn’t want exposed to the public.
Because it’s so easy on Dropbox to set wide permissions, which make assets viewable to the public or external users, you may inadvertently be sharing business-critical data with unknown parties without realizing it.
Once access has been granted to an asset, that information can be viewed, copied, and moved along very quickly. Potential exposure issues need to be detected as swiftly as possible to ensure that sensitive data doesn’t fall into the wrong hands.
That’s not to mention that on Dropbox, third parties who have access to your company assets, such as external contractors, can then grant access to fourth parties - and your organization has zero notification or control over that happening.
How to secure your sensitive data assets within Dropbox
The first and most important step to ensuring your sensitive data assets within Dropbox is understanding where you’re currently standing. That means comprehensive discovery and mapping of all your Dropbox assets and identities, including access permissions.
It’s critical to note that this mapping must be continually updated in as close to real-time as possible, as the Dropbox environment is dynamic and constantly changing. Keeping track of all assets and sharing settings manually is impossible, so you’ll need to embrace pre-set workflows for alerts and automated remediation.
DoControl’s SSPM solution was designed to address these specific Dropbox security issues. Fine-grained access controls ensure that you’re kept in the loop and notified quickly regarding any time a sensitive asset is shared, and empowers you with a comprehensive view of all the Dropbox assets for your entire organization.
Dropbox account security
As a large SaaS provider that serves millions of customers, Dropbox is a prime target for bad actors who want those customers’ data. Customer data can be leveraged directly or indirectly in order to obtain access to the customers’ account and internal systems.
Armed with this data, cybercriminals can view, copy, and access your sensitive information from within Dropbox, as well as other apps that use the same login credentials. These cybercriminals could threaten to expose this data unless you pay up, or use it for nefarious purposes.
Bad actors can often leverage your Dropbox credentials and shared accounts to access other SaaS solutions used by your business, whether it's by using usernames and passwords to access additional platforms, or by using your Dropbox account itself to view data within linked solutions.
April 2024 Dropbox security breach
Recently, bad actors gained access to Dropbox’s Sign, its e-Signature solution, via a service account with elevated privileges. They were then able to access an extremely sensitive customer database containing critical information, including customer emails, usernames, phone numbers, hashed passwords, general account settings, API keys, OAuth tokens, MFA and more.
While this Dropbox security breach was quickly detected by the company and remediatory steps were swiftly taken to minimize the risk to customers, this incident illustrates the very real Dropbox security issues that could potentially affect your organization.
Dropbox’s strategy for preventing harm to their users included resetting all user passwords, logging out sessions, and limiting API key usage until customers could rotate their keys. Furthermore, Dropbox directly informed affected users, cautioning them about possible phishing attempts and offering advice on securing their accounts.
But if Dropbox hadn’t acted fast, their customers may have been in serious trouble. And there is the perpetual danger of bad actors using the emails and usernames for phishing attacks, with the goal of gaining access to customers’ Dropbox accounts.
Ensuring your Dropbox security means protecting your organization
There are a number of steps you can take to safeguard your company from Dropbox security issues. Most of these practices are predicated on a proactive, zero-trust approach that requires your organization to never be complacent when it comes to Dropbox security concerns.
Any notifications regarding a Dropbox security breach should be a high priority for your business. If Dropbox or any other SaaS provider tells you to rotate your API keys, OAuth tokens, or anything else, you must do so immediately, because those can be used to recreate logged-in sessions, even without usernames, passwords or any other credentials.
You may think rotating your API keys or tokens is more hassle than it's worth, because perhaps you believe that some of those elements aren’t currently in use. But if you’re wrong, you could be setting yourself up for a serious breach and public exposure of your sensitive data.
Following a breach, Okta advised Cloudflare to rotate their tokens and credentials. However, while they rotated thousands, Cloudflare left four untouched, assuming they were not in use.
This decision proved to be a fatal mistake. Armed with the credentials which were incorrectly assumed to be unused, the cybercriminals managed to access Cloudflare’s Atlassian server.
There, they searched for Jira tickets related to vulnerability management, multifactor authentication bypass, network access, and more. They were also able to access Cloudflare’s source code management system within Atlassian Bitbucket. 67 of Cloudflare’s 120 code repositories were exfiltrated. Additionally, Cloudflare’s internal wiki (located on Atlassian Confluence) and an AWS environment used to power the Cloudflare Apps marketplace were also accessed by the bad actors.
All because they didn’t rotate four tokens.
Warn your employees not to click on any links that look like they were sent from the breached provider, and stress that it’s critical they avoid giving the sender any access information. Employee education and training is crucial for ensuring that a potential breach can be stopped before it happens. Your team is truly your first line of defense when it comes to phishing and other social engineering attacks.
Using a robust SSPM solution to monitor your SaaS activity in Dropbox (or whichever provider) and catch unusual behavior that might indicate a bad actor who has gained access to your system. Warning signs that a threat actor may have infiltrated your Dropbox environment include:
- Bursts of public sharing
- Sensitive files being shared externally/publicly
- Sharing with personal accounts
DoControl’s SSPM solution covers all your bases when it comes to Dropbox security. Our platform provides you with comprehensive, robust data security that ensures your sensitive data in Dropbox is safeguarded. Our risk-based approach provides you with total control over your assets, including granular access controls, logical prioritization of identities when it comes to levels of access, and crucial visibility into all your sensitive data exposures.
Dropbox Security FAQ
What is a Dropbox security breach?
A Dropbox security breach refers to any time that a bad actor accesses your company’s Dropbox assets without your permission or knowledge. This could look like a number of different scenarios, from a cybercriminal using a phishing attack to obtain a user’s credentials and login to your Dropbox, to a former third-party collaborator using their permissions inappropriately to access sensitive data within your Dropbox account.
What are the risks of using Dropbox?
Like any cloud-based file-sharing service, using Dropbox comes with some risks. The major risk of using Dropbox is that your sensitive data could potentially be exposed to a threat actor. This is especially concerning for companies that store critical information, like customer details and financial information or payment methods, within the assets in their Dropbox.
What are the common Dropbox security issues?
Social engineering attacks, such as phishing attacks and other attempts to persuade users to turn over their credentials to a bad actor, are one common threat to your Dropbox security. Another security issue is improper sharing settings, which allow users to view, access, and copy sensitive information which should not be shared with them. There is also a risk that a security breach in a company that’s linked to your Dropbox, such as Okta or Atlassian, could provide a backdoor for bad actors to access your internal data.
Why is Dropbox security important?
Strong Dropbox security is incredibly important for your business, as it can mean the difference between keeping your organization's critical data safe, or a Dropbox security breach that carries serious consequences for your brand reputation and business operations. Your Dropbox security strategy is the key to ensuring that you safeguard the business-critical data that’s central to your company operations and the trust of your clients.
How can I secure my Dropbox?
There are several steps you need to take to secure your Dropbox account. First, you should perform an extensive accounting of exactly what sensitive information is contained within your Dropbox assets and where it’s located. Second, invest in training your employees regarding best practices for sharing sensitive data within Dropbox and recognizing attempts (like phishing) to obtain their credentials. Finally, invest in a SSPM that provides you full visibility into your Dropbox assets and sharing settings.