It was announced last week that nearly 7 million Dropbox usernames and passwords have or may have been hacked (Read story here). There is some confusion over what has been hacked and how. Dropbox claims that the usernames and passwords were stolen “from other services” and used to attempt to log into Dropbox accounts.

There is a trend for hackers to attack third parties with access to popular online services such as Dropbox, Snapchat, and even Apple. By attacking third parties with access to such online services, hackers hope to gain access through less protected servers. Once hackers have usernames and passwords for popular online services such as Dropbox, the hackers attempt logins on that site as well as other online services hoping to exploit the fact that people often use the same logins for multiple services.

What is your risk as a consumer? If you are one of the countless online users who have the same username and/or password for multiple online services, you are at risk. Never use the same username for multiple online sites. And more importantly never use both the same password and usernames. You’re setting yourself up for hackers to access your identity, your bank account, your security questions on other sites, and a huge personal and possibly financial disaster.

What should you be doing as consumer? Create strong and unique usernames and passwords for each online service you use. Change your password on a regular cycle. Most employers with sensitive information require employees to change their passwords every 90 days at a minimum. When was the last time you changed your online banking password? Is it the same as your Facebook password? Yes, it is a challenge to keep your information safe. But, how much more of a challenge will it be when you can’t file your tax return next year because someone already filed using your social security number? Be smart. Be safe.

What is your risk as a third party with access to popular online sites? You risk being the gateway for hackers to infiltrate through your server and into services like Dropbox, Facebook, Snapchat, etc. Third parties who provide access to online health records have exposure to huge civil fines and penalties under HIPAA, the Health Information Privacy and Accountability Act. Some health information providers and their third parties also have reporting requirements under the Federal Trade Commission. Providers in the financial services industry face a host of regulations and the possibility of civil liability for data breaches. Class action suits against your company are not a remote and unlikely possibility for third parties who compromise consumer data by failing to use strong security measures. Is your company setting itself up to be the gateway for hackers to raid an online health care information service or online banking service by exploiting your vulnerabilities?

What should you be doing to prepare your company for a cyber attack? Develop and document your security measures, and reevaluate them on a routine basis. Have in hand before any attack occurs, a communication plan for the media, your customers, and stakeholders. If you only have 30 to 60 days under the law to notify customers of a breach and you have no plan in place, how long do you think it will take you to both figure out what happened, how it happened, how to close the exploited method, AND contact everyone who is required to be contacted? It’s doubtful that while you and your company are under the gun, you will have the presence of mind or time to generate the media responses and communications you will need, plus take the steps necessary to reduce your liability in the event of a lawsuit against you.

For more information regarding the Dropbox cyber attack or how to keep you and your company safe from cyber attacks, contact the Goosmann Law Firm at or call 712-226-4000.

Photo Copyright: jovannig / 123RF Stock Photo

Subscribe Our Blog

DISCLAIMER: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. By visiting this website, blog, or post you understand that there is no attorney client relationship between you and the Goosmann Law Firm attorneys and website publisher. No information contained in this post should be construed as legal advice from Goosmann Law Firm, PLC, or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.