Unfortunately, every few days we hear new headlines about some important web service that’s seen its privacy compromised. This weekend we got a double serving of this news with the announcement that many DropBox and Snapchat users have had their account details stolen, although in both cases it’s been confirmed that they weren’t accessed via server-hacking techniques but rather those affected had used unofficial third-party apps or used the same account details in several places.
DropBox confirmation
A few days ago, an anonymous hacker confirmed via Reddit that he’d obtained the credentials to seven million DropBox accounts, displaying a few hundred of them via plain-text screen shots as an “advance” and requesting payment in Bitcoins from other users to publicly share the rest. It was quickly confirmed that many of these accounts and passwords were in fact real, although the source of the leak still remains a mystery.
DropBox has waited a bit to release an official statement to clarify that these user account names and passwords haven’t been taken from its own servers, which have not suffered any attacks. They’ve confirmed that the mass theft came from the hacking of some third-party service, but given the common but terrible habit of using the same account name and password for different services, a large percentage of the hacked user database coincided with the DropBox credentials.
As if that weren’t enough, a few days prior a problem was announced with some older versions of the DropBox desktop client that erased many users’ stored files after a sync error. After the company confirmed the problem, those versions of the client were blocked and those affected were given a free year of DropBox Pro, and part of their deleted content recovered.
Snapchat and its Facebook app
Snapchat is a well-known service to send and receive photos that you can set to delete immediately after viewing them. In this case, it’s been confirmed that 500MB of photos have been stolen from many users, although again, this security breach did not come from Snapchat itself but rather an external tool called Snapsave, which makes backup copies of the images you receive. It appears Snapsave stored backup copies even after they had been deleted by the user, and the hacking of its database is what caused the current situation.
Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our ToU.
— Snapchat (@Snapchat) October 10, 2014
Moral of the story
The preceding tweet from Snapchat’s official Twitter account leaves things quite clear: using third-party tools to interact with the official client is strictly prohibited as specified in the terms of use. Both this case and the DropBox one make clear that you should be extremely careful when using third-party apps that interact with other tools. In this era of webapps and the social login, it’s common to “slip” and register on sites or utilize tools of dubious provenance given how easy they are to use, but for the umpteenth time: common sense is king.
Although no app is 100% safe (and nobody knows that better than Snapchat itself after the incident where thousands of phone numbers were revealed in January of this year), you can’t be too careful, and besides the obvious recommendation of using different passwords for each site you register on, it’s also increasingly common to set up two-step confirmations to safeguard your accounts, as suggested by DropBox itself. And if not, there’s always your external hard drive that you can hide under your mattress.
It looks nice
It is a nice app and I like it