Reports of data breaches and cyberattacks are serious, but what happens when those claims are untrue?
According to Krebs on Security, last week, several identity theft protection companies incorrectly named Dropbox as the source of a data breach that compromised nearly 73 million usernames and passwords.
In fact, the data was actually compromised due to breach at social network Tumblr, just one of the many data breaches to hit social networks in recent months.
“The credentials leaked in connection with breaches at those social networking sites were stolen years ago, but the full extent of the intrusions only became clear recently — when several huge archives of email addresses and hashed passwords from each service were posted to the Dark Web and to file-sharing sites,” Brian Krebs wrote in the post.
LifeLock confirmed that it notified some of its members that their Dropbox credentials were detected on the internet, but Dropbox itself did not have a data breach.
“We have learned that LifeLock and MyIdCare.com are reporting that Dropbox account details of some of their customers are potentially compromised,” Patrick Heim, head of trust and security at Dropbox, told Krebs. “An initial investigation into these reports has found no evidence of Dropbox accounts being impacted. We’re continuing to look into this issue and will update our users if we find evidence that Dropbox accounts have been impacted.”
Through his investigation, Krebs tracked down the source of the false positive: identity monitoring firm CSID.
“Our mandate is to alert our client subscribers when we find their information on the Dark Web,” Bryan Hjelm, VP of product and marketing for CSID, explained to Krebs. “Regardless of the source, this is compromised data that belongs to them.”
Though Hjelm admitted there have been "reputational concerns" from Dropbox and other companies due to the misattribution of the breach, he pointed out that this was the first time an incident like this has taken place for CSID.